Critical Pack2TheRoot Vulnerability Let Attackers Gain Root Access or Compromise the System
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A high-severity privilege escalation vulnerability, dubbed Pack2TheRoot (CVE-2026-41651, CVSS 3.1: 8.8), has been publicly disclosed by Deutsche Telekom\u2019s Red Team, affecting multiple major Linux distributions<\/a> in their default installations.<\/p>\n The flaw allows any local unprivileged user to silently install or remove system packages, ultimately achieving full root access without requiring a password.<\/p>\n The vulnerability resides in the PackageKit daemon, a widely deployed cross-distribution package management abstraction layer used across Debian, Ubuntu, Fedora, and Red Hat-based systems.<\/p>\n Exploiting this flaw, an attacker with basic local access can bypass authorization controls entirely, installing malicious packages or removing critical security components to compromise the system.<\/p>\n According to Telekom Security, all PackageKit versions from 1.0.2 through 1.3.4 are affected, spanning over 12 years of releases, creating an exceptionally broad attack surface.<\/p>\n Because PackageKit is also an optional dependency of the Cockpit server management project, enterprise servers running Cockpit including those running Red Hat Enterprise Linux (RHEL) may also be exposed.<\/p>\n Exploitability has been tested and confirmed on the following default installations:<\/p>\n Any distribution shipping PackageKit with it enabled should be considered potentially vulnerable.<\/p>\n The vulnerability was discovered by Telekom Security<\/a> during targeted research into local privilege escalation vectors on modern Linux systems. The team initially noticed that a Beginning in 2025, researchers leveraged Claude Opus by Anthropic to guide<\/a> and accelerate their investigation, ultimately identifying the exploitable flaw. All findings were manually reviewed before being responsibly disclosed to PackageKit maintainers, who confirmed both the issue and its exploitability.<\/p>\n A working proof-of-concept (PoC) exists and reliably achieves root code execution in seconds, though it will not be released publicly at this time.<\/p>\n Since PackageKit and Cockpit aren\u2019t always running as persistent processes (they can activate on demand via D-Bus), a simple process list check is insufficient. Use these commands:<\/p>\n Despite being exploitable in seconds, the attack leaves a detectable trace. Exploitation causes the PackageKit daemon to hit an assertion failure and crash, which is logged and recoverable by systemd. Defenders should monitor for the following log signature:<\/p>\n An assertion failure at The vulnerability is fixed in PackageKit 1.3.5, released on April 22, 2026. Distribution-specific patched packages are also available:<\/p>\n System administrators are strongly urged to apply patches immediately, particularly on internet-facing servers running Cockpit.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Critical Pack2TheRoot Vulnerability Let Attackers Gain Root Access or Compromise the System<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\n
pkcon install<\/code> command could install a system package on Fedora Workstation without prompting for a password.<\/p>\nHow to Check If You\u2019re Vulnerable<\/strong><\/h2>\n
\n
dpkg -l | grep -i packagekit<\/code>\n<\/li>\nrpm -qa | grep -i packagekit<\/code>\n<\/li>\nsystemctl status packagekit<\/code> or pkmon<\/code>\n<\/li>\n<\/ul>\njournalctl --no-pager -u packagekit | grep -i emitted_finished<\/code><\/p>\npk-transaction.c:514<\/code> is a strong indicator of active exploitation.<\/p>\nMitigation<\/strong><\/h2>\n
\n