Blog posts Apr 26, 2026 5 min read ← All posts

Pack2TheRoot (CVE-2026-41651): Critical Local Privilege Escalation Vulnerability in PackageKit Grants Root Access on Major Linux Distributions

Pack2TheRoot (CVE-2026-41651): Critical Local Privilege Escalation Vulnerability in PackageKit Grants Root Access on Major Linux Distributions

Executive Summary

A critical vulnerability, designated Pack2TheRoot (CVE-2026-41651, CVSS 8.8), has been identified in the PackageKit daemon, a core component responsible for abstracting package management operations across numerous Linux distributions. This flaw enables any local, unprivileged user to escalate privileges and obtain root access by exploiting the PackageKit service. The vulnerability has persisted undetected for over a decade, affecting default installations of major Linux distributions. Immediate remediation is essential, as the vulnerability is trivial to exploit and leaves clear forensic traces. The issue has been addressed in PackageKit version 1.3.5 and through distribution-specific backports.

Technical Information

The Pack2TheRoot vulnerability is a local privilege escalation flaw in the PackageKit daemon, which acts as a high-level interface for package management systems such as APT, DNF, and YUM. The vulnerability is tracked as CVE-2026-41651 and carries a CVSS score of 8.8, reflecting its high severity and ease of exploitation.

The flaw resides in the transaction handling logic of PackageKit. Specifically, a race condition in the transaction finalization process allows a local attacker to trigger a state where the daemon erroneously processes multiple transaction completions. This results in a logic error that can be exploited to execute arbitrary code with root privileges. The vulnerability is present in all PackageKit versions from 1.0.2 up to and including 1.3.4.

The attack vector requires only local access; no special privileges or user interaction are necessary. By exploiting the flaw, an attacker can install, remove, or modify system packages, effectively gaining full control over the affected system. The exploit is highly reliable and can be executed in seconds.

Forensic evidence of exploitation is left in system logs, as the PackageKit daemon crashes with an assertion failure, which is captured by systemd and visible in the journal logs. The crash is a strong indicator of compromise and should be monitored closely.

A proof-of-concept exploit has been developed and verified by the original discoverers, the Deutsche Telekom Red Team, but has not been publicly released as of this advisory. The vulnerability affects a broad spectrum of Linux distributions, including but not limited to Ubuntu, Debian, Fedora, RockyLinux, and any system where PackageKit is enabled by default.

Exploitation in the Wild

At the time of this report, there are no confirmed cases of exploitation of Pack2TheRoot in the wild. However, the vulnerability is considered highly attractive to attackers due to its reliability, the ubiquity of PackageKit across Linux distributions, and the simplicity of the attack. Security researchers and vendors anticipate that exploitation attempts will increase rapidly following public disclosure, especially as details and proof-of-concept code become more widely available.

The absence of public exploit code does not diminish the urgency of patching, as the technical details are sufficient for skilled attackers to develop their own exploits. Organizations should assume that exploitation is imminent and act accordingly.

APT Groups using this vulnerability

There is currently no attribution of Pack2TheRoot exploitation to any known Advanced Persistent Threat (APT) groups. The vulnerability is generic in nature and can be leveraged by any threat actor with local access, including cybercriminals, insiders, and state-sponsored actors. Given the criticality and cross-distro impact, it is expected that APT groups will incorporate this exploit into their toolkits if they have not already done so. Continuous monitoring for indicators of compromise and rapid patch deployment are strongly recommended.

Affected Product Versions

The following products and versions are confirmed to be affected by Pack2TheRoot:

PackageKit versions from 1.0.2 up to and including 1.3.4 are vulnerable. This includes default installations of Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), and 26.04 (LTS beta), Ubuntu Server 22.04 through 24.04 (LTS), Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43 Desktop/Server. Any Linux distribution with PackageKit enabled is potentially vulnerable, including systems with Cockpit-enabled servers such as RHEL if PackageKit is present.

The vulnerability is fixed in PackageKit version 1.3.5 and in distribution-specific backports. Administrators should verify the installed version of PackageKit using the following commands: on Debian or Ubuntu, use dpkg -l | grep -i packagekit; on RHEL or Fedora, use rpm -qa | grep -i packagekit. To check if the daemon is running, use systemctl status packagekit, pkmon for versions below 1.3.3, or pkgcli monitor for versions 1.3.3 and above.

Workaround and Mitigation

The primary mitigation is to upgrade PackageKit to version 1.3.5 or apply the relevant distribution backport as soon as possible. Distribution-specific advisories and patched packages are available from the following sources: the Debian Security Tracker, Ubuntu Launchpad, and Fedora Koji.

If immediate patching is not feasible, organizations should consider disabling the PackageKit daemon as a temporary workaround, though this may impact package management functionality. Monitoring system logs for assertion failures in PackageKit is recommended to detect potential exploitation. The following log entries are indicative of compromise:

journalctl --no-pager -u packagekit | grep -i emitted_finished

Apr 18 09:56:36 Rocky10 packagekitd[2082]: PackageKit:ERROR:../src/pk-transaction.c:514:pk_transaction_finished_emit: assertion failed: (!transaction->priv->emitted_finished)
Apr 18 09:56:36 Rocky10 packagekitd[2082]: Bail out! PackageKit:ERROR:../src/pk-transaction.c:514:pk_transaction_finished_emit: assertion failed: (!transaction->priv->emitted_finished)

The daemon will crash and be restarted by systemd, but the crash itself is a strong indicator of exploitation. Organizations should also review user activity logs for unauthorized package management operations.

References

Rescana is here for you

Rescana is committed to helping organizations proactively manage third-party and supply chain cyber risk. Our advanced TPRM platform provides continuous monitoring, automated risk assessment, and actionable intelligence to help you stay ahead of emerging threats. While this advisory focuses on the Pack2TheRoot vulnerability, our platform is designed to help you identify, assess, and mitigate a wide range of cyber risks across your entire ecosystem.

If you have any questions about this advisory, require technical assistance, or need support with incident response, please contact us at ops@rescana.com. Our team of experts is ready to assist you in safeguarding your organization against evolving cyber threats.

Recent Posts

See All →
Vercel April 2026 Security Incident: Context.ai-Linked Breach Exposes Non-Sensitive Environment Variables and Customer Accounts
Apr 26, 2026
Vercel April 2026 Security Incident: Context.ai-Linked Breach Exposes Non-Sensitive Environment Variables and Customer Accounts
26 FakeWallet Apps Impersonating Crypto Wallets Discovered on Apple App Store: Seed Phrase Theft Campaign Targeting iOS Users (April 2026)
Apr 26, 2026
26 FakeWallet Apps Impersonating Crypto Wallets Discovered on Apple App Store: Seed Phrase Theft Campaign Targeting iOS Users (April 2026)
CVE-2026-33626: Critical SSRF Vulnerability in LMDeploy Rapidly Exploited in the Wild — Technical Analysis and Mitigation Guide
Apr 26, 2026
CVE-2026-33626: Critical SSRF Vulnerability in LMDeploy Rapidly Exploited in the Wild — Technical Analysis and Mitigation Guide