Pack2TheRoot flaw lets local Linux users gain root through PackageKit

A newly disclosed Linux privilege escalation flaw called Pack2TheRoot can let a local unprivileged user gain root on vulnerable systems. Deutsche Telekom’s Red Team says the issue affects PackageKit and can allow unauthorized package installation or removal, which can then lead to full system compromise.

The bug is tracked as CVE-2026-41651 and carries a CVSS 3.1 score of 8.8. The National Vulnerability Database and Telekom’s disclosure both describe it as a time-of-check to time-of-use race condition in PackageKit versions 1.0.2 through 1.3.4, patched in version 1.3.5.

This is a local attack, not a remote wormable bug. An attacker needs local access first, but once they have that foothold, the flaw can let them install packages as root without proper authorization. That makes it a serious post-compromise escalation path on Linux desktops and some servers.

Why this flaw matters

PackageKit sits between the user and the distro’s package manager, giving software centers and other tools a common way to install, update, and remove software. Telekom says that broad footprint creates a large attack surface across Linux distributions that ship PackageKit enabled.

Telekom says it explicitly confirmed exploitability on default installations of Ubuntu Desktop 18.04, 24.04.4 LTS, and 26.04 beta, Ubuntu Server 22.04 through 24.04 LTS, Debian Desktop Trixie 13.4, Rocky Linux Desktop 10.1, and Fedora 43 Desktop and Server. The researchers add that other distributions shipping PackageKit enabled should also be considered potentially vulnerable until patched.

The PackageKit maintainer went even broader in the coordinated disclosure. Matthias Klumpp wrote on oss-security that users should assume all PackageKit versions up to 1.3.4 are vulnerable unless a distro has already backported a fix.

How the exploit works

Public advisories stay intentionally light on exploit detail, but the core impact is clear. The flaw corrupts PackageKit transaction flags in a way that lets an unprivileged user perform package operations as root, bypassing normal authorization.

Telekom says the bug surfaced during research into Linux local privilege escalation paths after the team noticed that a pkcon install command could install a system package on Fedora Workstation without asking for a password. The company also says it used Claude Opus to help guide part of the investigation, with the final findings manually reviewed and verified before disclosure.

The practical risk is simple. If a low-privilege user can install or remove packages as root, they can often move quickly to full code execution, persistence, or security bypass. On systems where PackageKit is present by default, that can turn a minor foothold into a full compromise in seconds. That last sentence is an inference based on the root-level package install capability documented in the advisories.

Who should worry first

Desktops look especially exposed because PackageKit commonly ships there by default. Telekom’s test list heavily features desktop builds, though the researchers also confirmed server impact on Ubuntu Server and warned that Cockpit deployments may increase exposure on servers.

That Cockpit angle matters for enterprise teams. Telekom says PackageKit is an optional dependency of Cockpit, so many servers with Cockpit installed may also be vulnerable, including Red Hat Enterprise Linux environments.

Ubuntu’s tracker shows the CVE now published and under evaluation across several supported releases, while Debian’s tracker already lists fixed package versions for both bookworm security and trixie security. That means distro response is underway, but patch status still varies by release and vendor.

Quick facts

Item	Details
Vulnerability	Pack2TheRoot
CVE	CVE-2026-41651
Affected component	PackageKit
Severity	CVSS 3.1 8.8
Attack type	Local privilege escalation
Affected upstream versions	1.0.2 through 1.3.4
Fixed upstream version	1.3.5
Researcher	Deutsche Telekom Red Team

How to check if your system may be vulnerable

Telekom says checking the process list is not enough because PackageKit and Cockpit can activate on demand through D-Bus. Instead, the company recommends checking whether PackageKit is installed and then comparing the installed version against vulnerable or patched builds.

For Debian and Ubuntu systems, Telekom suggests:

• dpkg -l | grep -i packagekit

For RPM-based systems, Telekom suggests:

• rpm -qa | grep -i packagekit

The researchers also say defenders can inspect PackageKit logs for a strong sign of exploitation. They recommend reviewing journal entries for emitted_finished, because an assertion failure at pk-transaction.c:514 can indicate active abuse of the bug.

What admins should do now

Patch first. The PackageKit maintainer says version 1.3.5 fixes the flaw, and Telekom says distro backports started shipping on April 22, 2026.

If you run Debian, the security tracker shows fixed builds for bookworm and trixie. If you run Ubuntu, Canonical’s CVE page confirms active security handling, though release status was still marked “Needs evaluation” on some versions when I checked.

If you cannot patch immediately, reduce local attack paths wherever possible and review whether PackageKit needs to stay installed and enabled on sensitive systems. That mitigation advice is an inference from the fact that this is a local PackageKit issue, not a network-facing bug.

FAQ