A recent discovery has unveiled a critical vulnerability in the PackageKit package management system, affecting various Linux distributions. This flaw, known as ‘Pack2TheRoot’ and tracked under CVE-2026-41651, has a CVSS score of 8.1, indicating a high-severity risk. The vulnerability enables non-privileged users to install packages with root privileges, posing a significant security threat.
Understanding the Pack2TheRoot Vulnerability
The ‘Pack2TheRoot’ issue arises from a time-of-check time-of-use (TOCTOU) race condition affecting transaction flags. This defect occurs when caller-supplied flags are written without verifying the transaction’s authorization status, leading to the execution of transactions with corrupted flags. As these flags are assessed at dispatch rather than during authorization, the backend interprets them as the attacker’s intended flags.
Exploiters can leverage this vulnerability to install arbitrary RPM packages as root, bypassing authentication processes. The flaw affects PackageKit versions 1.0.2 to 1.3.4, with indications that it may have been present since version 0.8.1, released 14 years ago.
Affected Linux Distributions and Impact
According to Deutsche Telekom’s Red Team, which identified the flaw, affected distributions include Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta), Ubuntu Server 22.04 – 24.04 (LTS), Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43 Desktop and Server. It is presumed that any distribution shipping with PackageKit enabled could be at risk.
Additionally, systems using the Cockpit project, where PackageKit is an optional dependency, might also be vulnerable. This includes potential exposure for servers running Red Hat Enterprise Linux (RHEL).
Exploitation and Mitigation
The vulnerability’s ease of exploitation, coupled with its potentially devastating consequences, makes it critical for users to act swiftly. Exploitation leaves traces that can indicate system compromise, such as assertion failures and crashes in the PackageKit daemon, which are logged in system records. However, systemd’s recovery of the daemon on the next D-Bus action prevents denial-of-service impacts.
Organizations are urged to update to PackageKit version 1.3.5, where this flaw has been addressed. Recent updates for Debian, Ubuntu, and Fedora have included patches to mitigate the risk associated with this vulnerability.
As cybersecurity threats evolve, it remains vital for organizations to remain vigilant and ensure their systems are promptly updated to prevent exploitation of known vulnerabilities.
