A new local privilege-escalation vulnerability dubbed Pack2TheRoot (CVE-2026-41651) in the PackageKit daemon can allow local Linux users to install or remove system packages and gain root privileges. The flaw, present since PackageKit 1.0.2 (Nov 2014) through 1.3.4, was reported by the Deutsche Telekom Red Team and fixed in PackageKit 1.3.5; users should patch immediately. #Pack2TheRoot #CVE-2026-41651
Keypoints
- Pack2TheRoot (CVE-2026-41651) enables local package installation/removal and privilege escalation via the PackageKit daemon.
- The vulnerability has existed since PackageKit 1.0.2 (November 2014) and affects versions through 1.3.4.
- Deutsche Telekom Red Team discovered and reported the issue; PackageKit 1.3.5 contains the patch.
- Confirmed vulnerable distributions include Ubuntu, Debian Trixie, Fedora 43, and RockyLinux Desktop, among others.
- Users should upgrade to PackageKit 1.3.5 and check installed and running status with dpkg/rpm and systemctl or pkmon.