New ‘Pack2TheRoot’ flaw gives hackers root Linux access

NEW PACK2THEROOT FLAW GIVES HACKERS ROOT LINUX ACCESS

1. Overview

• A new vulnerability named Pack2TheRoot affects the PackageKit daemon, enabling local Linux users to install or remove system packages and potentially gain root permissions.
• The flaw is tracked as CVE-2026-41651 and received a medium severity rating of 8.8 out of 10.
• The issue has persisted in PackageKit for nearly 12 years, spanning multiple releases and configurations where PackageKit is present and enabled by default.
• A patch was published in PackageKit version 1.3.5, but detailed exploit information and a public demonstration were withheld to allow patches to propagate.

1. Technical Background

• The root cause lies in the mechanism PackageKit uses to handle package management requests, allowing certain commands to execute without requiring authentication under specific conditions.
• The vulnerability can be triggered by commands such as pkcon install under affected setups, potentially permitting a local user to install or remove system packages with elevated privileges.
• Investigations indicate that the exploitation path involves the PackageKit daemon processing requests in a way that bypasses expected authentication checks in some Fedora-based and other PackageKit-enabled environments.

1. Discovery and Investigation

• The Deutsche Telekom Red Team conducted the investigation and published findings regarding Pack2TheRoot.
• Key discoveries include the identification of the root cause within the package management request handling, rather than a flaw in a separate component.
• The team confirmed the vulnerability through testing and analysis, and they shared the CVE when describing the flaw’s scope and impact.
• An exploration using advanced tooling indicated how an attacker could leverage this behavior to reach root-level access on compromised hosts.

1. Affected Systems and Versions

• The vulnerability has been demonstrated on several distributions and configurations that ship PackageKit by default.
• Representative examples of affected platforms include:
• Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta)
• Ubuntu Server 22.04 – 24.04 (LTS)
• Debian Desktop Trixie 13.4
• RockyLinux Desktop 10.1
• Fedora 43 Desktop and Fedora 43 Server
• The list is not exhaustive; any Linux distribution using PackageKit should be considered potentially vulnerable.
• The presence of PackageKit in a default, enabled state greatly increases exposure to local privilege escalation.

1. Impact and Observability

• Successful exploitation could allow a local user to perform privileged package management actions, effectively gaining root access on the compromised system.
• Observers noted signs of exploitation including assertion failures and crashes in the PackageKit daemon, with crash artifacts sometimes appearing in system logs even after recovery.
• The issue is particularly dangerous in multi-user environments or systems where untrusted users have local access.

1. Fixes, Patches, and Advisories

• Software maintainers released a fix in PackageKit version 1.3.5 to address CVE-2026-41651.
• The vulnerability originated in PackageKit versions dating back to 1.0.2 (November 2014) and affected all versions up to 1.3.4 before the fix.
• The project’s security advisory GHSA-f55j-vvr9-69xv provides a summary of affected ranges and the recommended remediation path.
• After disclosure, maintainers and distribution vendors urged users to upgrade to the patched release and to ensure any dependent software has moved away from vulnerable PackageKit interfaces.

1. Indicators of Compromise and Observation

• Local privilege escalation attempts may result in abnormal PackageKit behavior, crashes, or assertion failures, with logs showing unexpected activity around package management requests.
• Systems that are pre-installed with PackageKit and kept enabled out-of-the-box are at elevated risk, particularly if they remain on versions prior to 1.3.5.
• The vulnerability’s presence across multiple major distributions underscores the importance of validating the PackageKit version and ensuring timely patching.

1. Scope and Risk Considerations

• The flaw is notable for its long-standing presence (nearly a decade) and its potential to bypass typical permission controls on local hosts.
• While the patch provides a remedy, the breadth of affected environments means that organizations with diverse Linux deployments may need targeted verification across endpoints.
• Because the issue involves local access and package management operations, the primary risk scenario involves users with legitimate local access exploiting the flaw to gain elevated privileges.

1. Related References and Context

• CVE-2026-41651: The identifier associated with Pack2TheRoot.
• PackageKit security advisory GHSA-f55j-vvr9-69xv: Guidance on affected versions and patching considerations.
• Deutsche Telekom Red Team investigation: Primary source of discovery and technical assessment.
• Patch release details: PackageKit version 1.3.5 as the fix point.
• Broader context: Pack2TheRoot is categorized under local privilege escalation and relates to how package management interfaces handle authentication and authorization.

1. Glossary of Key Terms

• Pack2TheRoot: The name given to the vulnerability involving the PackageKit daemon.
• PackageKit: A background service responsible for managing software installation, updates, and removal on Linux systems.
• CVE-2026-41651: The common vulnerabilities and exposures identifier for this flaw.
• Local Privilege Escalation (LPE): An attack where an intruder with local access gains higher privileges.
• pkcon: The PackageKit command-line tool used to manage packages.
• Authentication bypass: A condition where a command executes without the required authentication step.

1. Summary Points

• Pack2TheRoot represents a significant local privilege escalation risk tied to the PackageKit daemon across multiple Linux distributions.
• The vulnerability has a long history, with a patch available in a recent PackageKit release but widespread exposure due to older deployments and default configurations.
• Detection centers on PackageKit’s behavior around package management commands and system logs showing anomalies or daemon crashes.
• Remediation widely centers on upgrading to the patched version (1.3.5) and auditing systems to identify any dependent software that relies on the vulnerable package management interfaces.