Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

An easily exploitable, high-severity vulnerability in the PackageKit cross-distro package management abstraction layer allows unprivileged users to install packages with root privileges. Tracked as CVE-2026-41651 (CVSS score of 8.1), the flaw is described as a time-of-check time-of-use (TOCTOU) race condition on transaction flags. Referred to as Pack2TheRoot, the bug is a combination of three issues, where caller-supplied flags are written without checking if the transaction is authorized or even when the transaction is running. This results in a transaction running with corrupted flags and, because the flags are read at dispatch, not at authorization time, the backend sees the attacker’s flags. Unprivileged users can exploit Pack2TheRoot to install arbitrary RPM packages as root, including scriplets, without authentication, a NIST advisory reads. The security defect has been confirmed to impact PackageKit versions 1.0.2 to 1.3.4, but likely existed since version 0.8.1, which was released 14 years ago (1.0.2 was released 12 years ago). According to Deutsche Telekom’s Red Team, which discovered the vulnerability, Linux distributions confirmed as affected include Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta), Ubuntu Server 22.04 – 24.04 (LTS), Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, Fedora 43 Desktop, and Fedora 43 Server. “It is reasonable to assume that all distributions that ship PackageKit with it enabled are vulnerable. Since PackageKit is an optional dependency of the Cockpit project, many servers with Cockpit installed might be vulnerable as well, including Red Hat Enterprise Linux (RHEL),” Deutsche Telekom notes. The company has refrained from sharing technical details on the flaw, noting that it is easily exploitable and that it could allow attackers to gain “root access or compromise the system in other ways”. “Even though the vulnerability is reliably exploitable in seconds, it leaves traces that serve as a strong indicator of compromise. After successful exploitation, the PackageKit daemon hits an assertion failure and crashes. Systemd recovers the daemon on the next D-Bus invocation, preventing a denial-of-service, but the crash is observable in the system logs,” Deutsche Telekom says. Pack2TheRoot was addressed in PackageKit version 1.3.5. Patches for it have also been included in recent Debian, Ubuntu, and Fedora updates.  Related: Organizations Warned of Exploited Linux Vulnerabilities Related: New ‘SSHStalker’ Linux Botnet Uses Old Techniques Related: Recent Microsoft Defender Vulnerability Exploited as Zero-Day Related: Recent Apache ActiveMQ Vulnerability Exploited in the Wild WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions US Federal Agency’s Cisco Firewall Infected With ‘Firestarter’ Backdoor Bitwarden NPM Package Hit in Supply Chain Attack Cloudsmith Raises $72 Million in Series C Funding Rilian Raises $17.5 Million for AI-Native Security Orchestration Luxury Cosmetics Giant Rituals Discloses Data Breach Apple Patches iOS Flaw Allowing Recovery of Deleted Chats Recent Microsoft Defender Vulnerability Exploited as Zero-Day Latest News Incomplete Windows Patch Opens Door to Zero-Click Attacks OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years Malicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: Google Energy and Water Management Firm Itron Hacked UNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware US Launches Sweeping Crackdown on Southeast Asia Cyberscams and Sanctions Cambodian Senator Firefox Vulnerability Allows Tor User Fingerprinting China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Neill Feather has been named Chief Executive Officer at Point Wild. Oasis Security has appointed Michael DeCesare as President. Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery. More People On The Move Expert Insights Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Flipboard Reddit Whatsapp Email