Pack2TheRoot is a high-severity TOCTOU race condition in PackageKit (CVE-2026-41651) that allows unprivileged users to install arbitrary RPM packages with root privileges by corrupting transaction flags. The flaw, disclosed by Deutsche Telekom’s Red Team, affects many distributions shipping vulnerable PackageKit versions and was fixed in PackageKit 1.3.5 with patches rolled into Debian, Ubuntu, and Fedora updates. #Pack2TheRoot #PackageKit
Keypoints
- Pack2TheRoot is a TOCTOU race condition on PackageKit transaction flags with a CVSS score of 8.1.
- Unprivileged users can install arbitrary RPMs as root, including running scriplets, without authentication.
- The vulnerability results from caller-supplied flags being written and read at dispatch time without authorization checks.
- Confirmed affected versions are PackageKit 1.0.2–1.3.4 and the issue likely existed since 0.8.1; fixed in 1.3.5.
- Multiple Linux distributions and systems that ship PackageKit (including desktops, servers, and Cockpit-enabled systems) are likely impacted, and exploitation triggers observable crashes in system logs.