An simply exploitable, high-severity vulnerability within the PackageKit cross-distro package deal administration abstraction layer permits unprivileged customers to put in packages with root privileges.
Tracked as CVE-2026-41651 (CVSS rating of 8.1), the flaw is described as a time-of-check time-of-use (TOCTOU) race situation on transaction flags.
Known as Pack2TheRoot, the bug is a mixture of three points, the place caller-supplied flags are written with out checking if the transaction is permitted and even when the transaction is working.
This leads to a transaction working with corrupted flags and, as a result of the flags are learn at dispatch, not at authorization time, the backend sees the attacker’s flags.
Unprivileged customers can exploit Pack2TheRoot to put in arbitrary RPM packages as root, together with scriplets, with out authentication, a NIST advisory reads.
The security defect has been confirmed to affect PackageKit variations 1.0.2 to 1.3.4, however seemingly existed since model 0.8.1, which was launched 14 years in the past (1.0.2 was launched 12 years in the past).
In line with Deutsche Telekom’s Purple Crew, which found the vulnerability, Linux distributions confirmed as affected embody Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta), Ubuntu Server 22.04 – 24.04 (LTS), Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, Fedora 43 Desktop, and Fedora 43 Server.
“It’s cheap to imagine that each one distributions that ship PackageKit with it enabled are susceptible. Since PackageKit is an optionally available dependency of the Cockpit undertaking, many servers with Cockpit put in is likely to be susceptible as nicely, together with Purple Hat Enterprise Linux (RHEL),” Deutsche Telekom notes.
The corporate has avoided sharing technical particulars on the flaw, noting that it’s simply exploitable and that it may permit attackers to realize “root entry or compromise the system in different methods”.
“Though the vulnerability is reliably exploitable in seconds, it leaves traces that function a powerful indicator of compromise. After profitable exploitation, the PackageKit daemon hits an assertion failure and crashes. Systemd recovers the daemon on the subsequent D-Bus invocation, stopping a denial-of-service, however the crash is observable within the system logs,” Deutsche Telekom says.
Pack2TheRoot was addressed in PackageKit model 1.3.5. Patches for it have additionally been included in latest Debian, Ubuntu, and Fedora updates.
