Pardus Linux Local Privilege Escalation Flaw Allows Silent Root Access

HomeCyber Security News Pardus Linux Local Privilege Escalation Flaw Allows Silent Root Access By Abinaya May 20, 2026 A critical vulnerability chain affecting Pardus Linux has been disclosed, allowing local users to gain full root privileges without authentication. The issue, assigned a CVSS v3.1 score of 9.3, impacts the pardus-update package, a core component responsible for system updates in the Debian-based distribution maintained by TÜBİTAK. Pardus is widely deployed across government institutions, educational environments, and enterprise systems in Turkey, making this flaw particularly significant in shared and multi-user environments. Security researcher Çağrı Eser (0xc4gr1) identified that the issue is not a single bug, but a combination of three weaknesses that together enable complete system compromise. These include a PolicyKit (Polkit) misconfiguration, a carriage return-line feed (CRLF) injection flaw, and an untrusted file path vulnerability. Pardus Linux Privilege Escalation Flaw The first issue lies in the Polkit policy configuration. Critical update actions, such as aptupdateaction and autoaptupgradeaction, were configured with “allow_any=yes,” allowing any user to execute privileged operations without authentication. This effectively grants passwordless root execution of backend Python scripts via pkexec. The second flaw exists in the SystemSettingsWrite.py script, which writes user-controlled input into a configuration file. While newline characters are filtered, carriage return characters are not. This allows attackers to inject arbitrary configuration entries into /etc/pardus/pardus-update.conf. By crafting a malicious input, attackers can insert a custom APT source path pointing to a file under their control. The third issue arises in AutoAptUpgrade.py, which processes the manipulated configuration. The script blindly copies attacker-supplied APT source files into /etc/apt/sources.list.d/ without validation. This enables attackers to introduce a malicious repository and trigger package installation as root. In a proof-of-concept exploit, an attacker creates a rogue APT repository containing a malicious .deb package. During installation, the package sets the SUID bit on /bin/bash, allowing privilege escalation. Once executed, the attacker gains an instant root shell using “/bin/bash -p,” achieving full system compromise. The impact is severe. Attackers gain unrestricted access to sensitive files such as /etc/shadow, can install persistent backdoors, modify system binaries, and fully control the system. The vulnerability requires only local access and no user interaction, making it highly exploitable in shared systems or after initial compromise. To mitigate the issue, administrators must apply three key fixes. First, update the Polkit policy to require administrator authentication instead of allowing unrestricted access. Second, sanitize all user input in SystemSettingsWrite.py to remove carriage returns and newlines. Third, restrict APT source file paths in AutoAptUpgrade.py to trusted directories and block world-writable locations. According to a report by nullsecurityx, the vulnerability chain demonstrates how multiple seemingly minor low-level misconfigurations can escalate into a critical security compromise. Organizations using Pardus Linux are strongly advised to implement these fixes immediately to prevent exploitation. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News OpenAI Hit with Class-Action Privacy Lawsuit for Sharing ChatGPT Data with Google and Meta FreePBX Vulnerability Allow Attackers to Gain Access to User Portals Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets Sandworm Hackers Pivot From Compromised IT Systems Toward Critical OT Assets Cisco Catalyst SD-WAN Controller 0-Day Actively Exploited to Gain Admin Access Latest News Cyber Security News FreePBX Vulnerability Allow Attackers to Gain Access to User Portals Cyber Security Critical ExifTool Vulnerability Allows Attackers to Compromise Macs via Single Malicious Image Cyber Security News Hackers Use Single-Letter Go Module Typosquat to Deploy DNS-Based Backdoor Cyber Attack News Microsoft Python Client DurableTask Compromised by TeamPCP Hackers Cyber Security News Hackers Abuse MSHTA Legacy Windows Tool to Deliver LummaStealer and Amatera Malware