An easily exploitable, high-severity vulnerability in the PackageKit cross-distro package management abstraction layer allows unprivileged users to install packages with root privileges.
Tracked as CVE-2026-41651 (CVSS score of 8.1), the flaw is described as a time-of-check time-of-use (TOCTOU) race condition on transaction flags.
Referred to as Pack2TheRoot, the bug is a combination of three issues, where caller-supplied flags are written without checking if the transaction is authorized or even when the transaction is running.
This results in a transaction running with corrupted flags and, because the flags are read at dispatch, not at authorization time, the backend sees the attacker’s flags.
Unprivileged users can exploit Pack2TheRoot to install arbitrary RPM packages as root, including scriplets, without authentication, a NIST advisory reads.
The security defect has been confirmed to impact PackageKit versions 1.0.2 to 1.3.4, but likely existed since version 0.8.1, which was released 14 years ago (1.0.2 was released 12 years ago).
According to Deutsche Telekom’s Red Team, which discovered the vulnerability, Linux distributions confirmed as affected include Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta), Ubuntu Server 22.04 – 24.04 (LTS), Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, Fedora 43 Desktop, and Fedora 43 Server.
“It is reasonable to assume that all distributions that ship PackageKit with it enabled are vulnerable. Since PackageKit is an optional dependency of the Cockpit project, many servers with Cockpit installed might be vulnerable as well, including Red Hat Enterprise Linux (RHEL),” Deutsche Telekom notes.
The company has refrained from sharing technical details on the flaw, noting that it is easily exploitable and that it could allow attackers to gain “root access or compromise the system in other ways”.
“Even though the vulnerability is reliably exploitable in seconds, it leaves traces that serve as a strong indicator of compromise. After successful exploitation, the PackageKit daemon hits an assertion failure and crashes. Systemd recovers the daemon on the next D-Bus invocation, preventing a denial-of-service, but the crash is observable in the system logs,” Deutsche Telekom says.
Pack2TheRoot was addressed in PackageKit version 1.3.5. Patches for it have also been included in recent Debian, Ubuntu, and Fedora updates.
Related: Organizations Warned of Exploited Linux Vulnerabilities
Related: New ‘SSHStalker’ Linux Botnet Uses Old Techniques
Related: Recent Microsoft Defender Vulnerability Exploited as Zero-Day
Related: Recent Apache ActiveMQ Vulnerability Exploited in the Wild
