New ‘Pack2TheRoot’ flaw gives hackers root Linux access

Summary

CVE-2026-41651, dubbed Pack2TheRoot, is a medium-severity (8.8/10) flaw in the PackageKit daemon affecting Linux systems for nearly 12 years. The vulnerability allows local users to install/remove system packages and gain root permissions by exploiting authentication bypass in package management requests. PackageKit version 1.3.5 addresses the issue; all distributions with PackageKit pre-installed are potentially vulnerable.

Full text

New ‘Pack2TheRoot’ flaw gives hackers root Linux access By Bill Toulas April 24, 2026 01:28 PM 0 A new vulnerability dubbed Pack2TheRoot could be exploited in the PackageKit daemon to allow local Linux users to install or remove system packages and gain root permissions. The flaw is identified as CVE-2026-41651 and received a medium-severity rating of 8.8 out of 10. It has persisted for almost 12 years in the PackageKit daemon, a background service that manages software installation, updates, and removal across Linux systems. Earlier this week, some information about the vulnerability has been published, along with PackageKit version 1.3.5 that addresses the issue. However, technical details and a demo exploit have been not been disclosed to allow the patches to propagate. An investigation from the Deutsche Telekom Red Team uncovered that the cause of the bug is the mechanism PackageKit uses to handle package management requests. Specifically, the researchers found that commands like ‘pkcon install’ could execute without requiring authentication under certain conditions on a Fedora system, allowing them to install a system package. Using the Claude Opus AI tool, they further explored the potential for exploiting this behavior and discovered CVE-2026-41651. Redacted PoC exploit for Pack2TheRootSource: Deutsche Telekom Impact and fixes Deutsche Telekom's Red Team reported their findings to Red Hat and PackageKit maintainers on April 8. They state that it’s safe to assume that all distributions that come with PackageKit pre-installed and enabled out-of-the-box are vulnerable to CVE-2026-41651. The vulnerability has been present in PackageKit version 1.0.2, released in November 2014, and affects all versions through 1.3.4, according to the project's security advisory. Researchers' testing have confirmed that an attacker could exploit the the CVE-2026-41651 vulnerability in the following Linux distributions: Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta) Ubuntu Server 22.04 – 24.04 (LTS) Debian Desktop Trixie 13.4 RockyLinux Desktop 10.1 Fedora 43 Desktop Fedora 43 Server The list is not exhaustive, though, and any Linux distribution using PackageKit should be treated as potentially vulnerable to attacks. Users should upgrade to PackageKit version 1.3.5 as soon as possible, and ensure that any other software using the package as a dependency has been moved to a safe release. Users can use the commands below to check if they have a vulnerable version of the PackageKit installed and if the daemon is running: dpkg -l | grep -i packagekit rpm -qa | grep -i packagekit Users can run systemctl status packagekit or pkmon to check if the PackageKit daemon is available and running, which indicates that the system may be at risk if left unpatched. Although no details about the state of exploitation have been shared, the researchers noted that there are strong signs showing compromise because exploitation leads to the PackageKit daemon hitting an assertion failure and crashing. Even if systemd recovers the daemon, the crash is observable in the system logs. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Disgruntled researcher leaks “BlueHammer” Windows zero-day exploitHackers exploit file upload bug in Breeze Cache WordPress pluginRecently leaked Windows zero-days now exploited in attacksNew GoGra malware for Linux uses Microsoft Graph API for commsNIST to stop rating non-priority flaws due to volume increase

Indicators of Compromise

• cve — CVE-2026-41651

Entities