Pack2TheRoot: Critical Linux Passwordless Root Vulnerability

Pack2TheRoot (CVE-2026-41651) affects Linux PackageKit for 12 years. CVSS 8.8, local passwordless root access. Patches available: here is what to know.

Pack2TheRoot: Critical Linux Passwordless Root Vulnerability
Pack2TheRoot: Critical Linux Passwordless Root Vulnerability

A vulnerability with a CVSS score of 8.8 has remained hidden in the PackageKit code for over twelve years, exposing millions of desktop Linux systems to privilege escalation without a password request. Named Pack2TheRoot (CVE-2026-41651), the flaw was disclosed on April 23, 2026, and affects all versions of PackageKit from 1.0.2 to 1.3.4 inclusive.

What is Pack2TheRoot and how the attack works

According to Cyber Kendra, "a newly disclosed vulnerability in a nearly universal Linux component has handed the keys to the entire system to any unprivileged local user — no password, no exploit chain, no guesswork required." The nature of the vulnerability lies in a race condition that allows bypassing PolicyKit (polkit) authorization checks through the D-Bus interface.

The Deutsche Telekom Red Team, assisted by AI analysis using Claude Opus, identified the issue affecting PackageKit, the package management daemon present in almost all desktop Linux distributions as a default component. As Cyber Kendra reports, "the bug has existed since PackageKit version 1.0.2, released over 12 years ago, which means the vulnerable codebase has been distributed within countless Linux systems as a default component for over a decade."

Which distributions are vulnerable

Confirmed vulnerable distributions include:

  • Ubuntu Desktop 18.04, 24.04.4, 26.04 beta
  • Ubuntu Server 22.04-24.04
  • Debian Trixie 13.4
  • Rocky Linux 10.1
  • Fedora 43 Desktop and Server

A particularly insidious aspect concerns servers running Cockpit: these can be exposed even when PackageKit is not running as a persistent service, as both activate on demand via D-Bus. The attack surface is thus expanded beyond traditional desktop systems.

The technical mechanism of the race condition

The vulnerability stems from a failure to properly validate the caller's privileges in the D-Bus interface. Methods exposed such as InstallPackage, RemovePackage, and UpdatePackages do not correctly validate privileges when invoked via the local session bus, allowing any unprivileged local user to install or remove system packages without authorization.

As Cyber Kendra explained, "the team — assisted by guided AI analysis using Claude Opus — eventually identified an exploitable race condition." After successful exploitation, the PackageKit daemon crashes with an assertion failure, leaving a trace in the system logs as a potential indicator of compromise.

Available patches and corrected versions

The fix is available in PackageKit 1.3.5, with patches released by Debian, Ubuntu, and Fedora on April 22, 2026. System administrators are urged to check the installed version and proceed with the update to the corrected versions as soon as possible, considering the high CVSS score and simplicity of exploitation.

Affected versions of PackageKit range from 1.0.2 to 1.3.4. PackageKit 1.0.2 was released over twelve years ago, making the historical attack surface particularly large. The widespread distribution of the component as a standard element in desktop Linux distributions significantly increases the potential number of exposed systems.

Frequently Asked Questions

What is the CVSS score of the Pack2TheRoot vulnerability?
The Pack2TheRoot vulnerability has a CVSS score of 8.8, classified as High level, indicating significant severity for affected systems.
Does Pack2TheRoot require a password to obtain root privileges?
No, the Pack2TheRoot vulnerability does not require a password or an exploit chain. An unprivileged local user can obtain full root access by exploiting the race condition in PackageKit.
Which versions of PackageKit are vulnerable?
All versions of PackageKit from 1.0.2 to 1.3.4 are vulnerable. The corrected version is PackageKit 1.3.5, released with the patches on April 22, 2026.

This article is a summary based exclusively on the listed sources.

Sources