A high-severity local privilege escalation vulnerability (CVE-2026-41651), known as Pack2TheRoot, has been disclosed in the PackageKit daemon, impacting multiple major Linux distributions, including Ubuntu, Debian, Fedora, and Red Hat-based systems. The vulnerability allows any unprivileged local user to gain full root access without authentication.
The flaw has existed across PackageKit versions for over a decade and can be exploited within seconds. A patch is available, and organizations must prioritize immediate remediation across Linux endpoints, servers, and cloud environments, particularly in regions with extensive Linux adoption, such as GCC and MENA.
CVE-2026-41651 is a Time-of-Check Time-of-Use (TOCTOU) race condition within the PackageKit daemon’s transaction handling logic. The vulnerability arises from improper validation of transaction flags, allowing attacker-controlled inputs to be applied after authorization checks have been completed.
An attacker can manipulate the transaction state by modifying flags during execution, causing the system to perform privileged actions under altered conditions. This enables the installation of arbitrary packages containing scriptlets that execute with root privileges.
PackageKit operates via D-Bus and can be activated on demand, meaning it does not need to be actively running for exploitation to occur. The vulnerability affects a wide range of systems, including enterprise environments where PackageKit is installed as a dependency, significantly increasing the attack surface. The details and technicalities of the attack campaign are discussed further,
Exploitation Demonstration:
Ease of Exploitation:
The vulnerability is highly exploitable due to its reliance on logic flaws rather than complex memory corruption. Attackers only require local access to trigger the race condition, which can be achieved through various initial access methods such as phishing or compromised credentials.
The exploit is reliable, fast, and difficult to detect using traditional security tools, as it operates within legitimate system processes. Its presence across multiple Linux distributions for over 12 years further increases exposure and risk.
Conclusion:
Pack2TheRoot represents a critical security risk due to its simplicity, widespread impact, and ability to grant immediate root access. As a post-exploitation enabler, it allows attackers to escalate privileges rapidly once initial access is obtained.
Organizations must treat this vulnerability as a priority, ensuring immediate patching and strengthening monitoring capabilities to detect potential exploitation attempts.
Successful exploitation results in full root-level control over affected systems. Attackers can install persistent backdoors, exfiltrate sensitive data, disable security controls, and move laterally across networks.
The compromise of Linux servers can lead to significant operational disruption, data breaches, and regulatory implications, particularly in sectors handling sensitive information or critical workloads.
https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
