A brand new vulnerability dubbed Pack2TheRoot may very well be exploited within the PackageKit daemon to permit native Linux customers to put in or take away system packages and achieve root permissions.
The flaw is recognized as CVE-2026-41651 and obtained a medium-severity score of 8.8 out of 10. It has continued for nearly 12 years within the PackageKit daemon, a background service that manages software program set up, updates, and removing throughout Linux programs.
Earlier this week, some details about the vulnerability has been revealed, together with PackageKit model 1.3.5 that addresses the problem. Nevertheless, technical particulars and a demo exploit have been not been disclosed to permit the patches to propagate.
An investigation from the Deutsche Telekom Purple Group uncovered that the reason for the bug is the mechanism PackageKit makes use of to deal with bundle administration requests.
Particularly, the researchers discovered that instructions like ‘pkcon set up’ may execute with out requiring authentication beneath sure situations on a Fedora system, permitting them to put in a system bundle.
Utilizing the Claude Opus AI instrument, they additional explored the potential for exploiting this habits and found CVE-2026-41651.
Supply: Deutsche Telekom
Affect and fixes
Deutsche Telekom’s Purple Group reported their findings to Purple Hat and PackageKit maintainers on April 8. They state that it’s protected to imagine that each one distributions that include PackageKit pre-installed and enabled out-of-the-box are susceptible to CVE-2026-41651.
The vulnerability has been current in PackageKit model 1.0.2, launched in November 2014, and impacts all variations via 1.3.4, based on the challenge’s security advisory.
Researchers’ testing have confirmed that an attacker may exploit the the CVE-2026-41651 vulnerability within the following Linux distributions:
- Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta)
- Ubuntu Server 22.04 – 24.04 (LTS)
- Debian Desktop Trixie 13.4
- RockyLinux Desktop 10.1
- Fedora 43 Desktop
- Fedora 43 Server
The checklist is just not exhaustive, although, and any Linux distribution utilizing PackageKit must be handled as probably susceptible to assaults.
Customers ought to improve to PackageKit model 1.3.5 as quickly as potential, and be certain that every other software program utilizing the bundle as a dependency has been moved to a protected launch.
Customers can use the instructions beneath to verify if they’ve a susceptible model of the PackageKit put in and if the daemon is working:
dpkg -l | grep -i packagekit
rpm -qa | grep -i packagekit
Customers can run systemctl standing packagekit or pkmon to verify if the PackageKit daemon is obtainable and working, which signifies that the system could also be in danger if left unpatched.
Though no particulars in regards to the state of exploitation have been shared, the researchers famous that there are sturdy indicators exhibiting compromise as a result of exploitation results in the PackageKit daemon hitting an assertion failure and crashing.
Even when systemd recovers the daemon, the crash is observable within the system logs.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Autonomous Validation Summit (Might 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
Declare Your Spot
