High-Severity Linux Privilege Escalation Flaw "Pack2TheRoot" Disclosed
Deutsche Telekom’s Red Team has publicly disclosed a high-severity privilege escalation vulnerability, CVE-2026-41651 (CVSS 8.8), dubbed Pack2TheRoot, affecting default installations of major Linux distributions. The flaw, present in the PackageKit daemon a widely used package management abstraction layer allows any local unprivileged user to silently install or remove system packages, ultimately gaining full root access without authentication.
The vulnerability impacts PackageKit versions 1.0.2 through 1.3.4, spanning over 12 years of releases and exposing systems across Debian, Ubuntu, Fedora, and Red Hat-based distributions, including enterprise servers running Cockpit. Confirmed vulnerable default installations include:
- Ubuntu Desktop (18.04, 24.04.4 LTS, 26.04 LTS Beta)
- Ubuntu Server (22.04, 24.04 LTS)
- Debian Desktop (Trixie 13.4)
- Rocky Linux Desktop (10.1)
- Fedora (43 Desktop and Server)
Exploitation is straightforward: an attacker with basic local access can bypass authorization controls, install malicious packages, or remove critical security components. A proof-of-concept (PoC) exists, reliably achieving root code execution in seconds, though it remains undisclosed.
The flaw was discovered during Telekom Security’s research into local privilege escalation vectors, with Claude Opus (Anthropic) assisting in the investigation starting in 2025. Findings were responsibly disclosed to PackageKit maintainers, who confirmed the issue and its exploitability.
While the attack leaves detectable traces such as PackageKit daemon crashes logged in journalctl systems can be checked for vulnerability using:
- Debian/Ubuntu:
dpkg -l | grep -i packagekit - RPM-based:
rpm -qa | grep -i packagekit - Daemon status:
systemctl status packagekitorpkmon
A patch was released in PackageKit 1.3.5 (April 22, 2026), with distribution-specific fixes available via:
- Debian: security-tracker.debian.org
- Ubuntu: Launchpad CVE tracker
- Fedora: PackageKit-1.3.4-3 (via Koji)
Administrators are advised to apply updates immediately, particularly on internet-facing servers running Cockpit.
Source: https://cybersecuritynews.com/pack2theroot-vulnerability/
Debian TPRM report: https://www.rankiteo.com/company/debian
Fedora TPRM report: https://www.rankiteo.com/company/fedora-project
Ubuntu TPRM report: https://www.rankiteo.com/company/ubuntu-linux
"id": "debubufed1776933436",
"linkid": "debian, ubuntu-linux, fedora-project",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Ubuntu Desktop (18.04, 24.04.4 '
'LTS, 26.04 LTS Beta), Ubuntu '
'Server (22.04, 24.04 LTS)',
'industry': 'Technology',
'name': 'Ubuntu',
'type': 'Operating System'},
{'customers_affected': 'Debian Desktop (Trixie 13.4)',
'industry': 'Technology',
'name': 'Debian',
'type': 'Operating System'},
{'customers_affected': 'Rocky Linux Desktop (10.1)',
'industry': 'Technology',
'name': 'Rocky Linux',
'type': 'Operating System'},
{'customers_affected': 'Fedora (43 Desktop and Server)',
'industry': 'Technology',
'name': 'Fedora',
'type': 'Operating System'},
{'customers_affected': 'Enterprise servers running '
'Cockpit',
'industry': 'Technology',
'name': 'Red Hat-based distributions',
'type': 'Operating System'}],
'attack_vector': 'Local',
'customer_advisories': 'Administrators advised to apply updates immediately, '
'particularly on internet-facing servers running '
'Cockpit.',
'date_detected': '2025',
'date_publicly_disclosed': '2026-04-22',
'date_resolved': '2026-04-22',
'description': 'Deutsche Telekom’s Red Team disclosed a high-severity '
'privilege escalation vulnerability (CVE-2026-41651, CVSS '
"8.8), dubbed 'Pack2TheRoot', affecting default installations "
'of major Linux distributions. The flaw in PackageKit allows '
'local unprivileged users to silently install or remove system '
'packages, gaining full root access without authentication. '
'The vulnerability impacts PackageKit versions 1.0.2 through '
'1.3.4, spanning over 12 years and exposing systems across '
'Debian, Ubuntu, Fedora, and Red Hat-based distributions, '
'including enterprise servers running Cockpit.',
'impact': {'operational_impact': 'Full root access compromise, potential '
'installation/removal of malicious packages '
'or critical security components',
'systems_affected': 'Default installations of major Linux '
'distributions (Ubuntu, Debian, Fedora, Rocky '
'Linux, Red Hat-based)'},
'investigation_status': 'Completed',
'post_incident_analysis': {'corrective_actions': 'Patch released in '
'PackageKit 1.3.5; '
'distribution-specific fixes '
'available',
'root_causes': 'PackageKit authorization control '
'bypass in versions 1.0.2 through '
'1.3.4'},
'recommendations': 'Apply patches immediately, check system logs for '
'exploitation attempts, and verify PackageKit versions '
'using provided commands.',
'references': [{'source': 'Debian Security Tracker',
'url': 'https://security-tracker.debian.org'},
{'source': 'Ubuntu Launchpad CVE Tracker'},
{'source': 'Fedora Koji'}],
'response': {'containment_measures': 'Patch released in PackageKit 1.3.5 '
'(April 22, 2026)',
'enhanced_monitoring': 'Check for PackageKit daemon crashes in '
'journalctl',
'remediation_measures': 'Apply updates immediately, particularly '
'on internet-facing servers running '
'Cockpit',
'third_party_assistance': 'Claude Opus (Anthropic)'},
'title': "High-Severity Linux Privilege Escalation Flaw 'Pack2TheRoot' "
'Disclosed',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'CVE-2026-41651 (PackageKit authorization bypass)'}