Few days ago Information was released about a new critical vulnerability that affects Linux environments called "Pack2TheRoot". Cataloged under CVE-2026-41651This flaw affects PackageKit (a tool that acts as a D-Bus abstraction layer to unify package management across multiple distributions)
It is mentioned that the ruling It allows any local user without privileges to install or remove packages arbitrarily. By exploiting this vulnerability, an attacker can gain full root access to the compromised system. The impact is considerable, given that the issue has been present since version 1.0.2, released over twelve years ago (in 2014), and affects default configurations of popular distributions such as Ubuntu, Debian, Rocky Linux, and Fedora.
Pack2TheRoot: PackageKit vulnerability grants administrator access on Linux
El The discovery of Pack2TheRoot was the result of an investigation led by the Red Team of Deutsche Telekom, who They used the Claude Opus artificial intelligence model to guide their analysis of local privilege escalation vectors.
LoResearchers initially observed that the pkcon install command could be executed without requiring a password.in certain Fedora configurations, which raised suspicions about the underlying authorization. After confirming and responsibly reporting the vulnerability to the PackageKit maintainers, A working exploit has been developed, although its detailed publication has been strategically delayed to allow users and administrators to apply the necessary updates.
The mechanics of the attack
the root of the Vulnerability lies in a career condition (TOCTOU type: Time-of-Check to Time-of-Use) within background process transaction management (daemon) of PackageKitPackageKit, operating as the root user, delegates authorization to the polkit system. When a client requests to install a package, for example using the InstallFiles method, it transmits a set of flags that dictate the behavior of the transaction.
Specific flags, such as SIMULATE or ONLY_DOWNLOAD, instruct PackageKit to skip polkit authorization. since they represent safe operations that, in theory, do not modify the state of the system. The failure is triggered because the transaction handler overwrites These indicators are unconditionally cached with each new call, without verifying whether the transaction has already been authorized or is in the process of execution.
Un An attacker can initiate a transaction using "safe" indicators (thus circumventing polkit's authorization) and, milliseconds later, send a second D-Bus request for the same transaction, but this time with malicious flags that command an actual installation. Due to GLib's event loop priority architecture (where D-Bus messages are processed before idle callbacks), the second request overwrites the parameters just before the scheduler starts the operation.
As a result, the transaction previously authorized as "safe" is executed with the substituted parameters., installing the package with administrator privileges.
Solutions and mitigation
It should be noted that the The vulnerability has been patched in PackageKit version 1.3.5Therefore, the developers urge system administrators to check if their systems are vulnerable by checking the service status using commands such as systemctl status packagekit or by monitoring activity with pkmon.
Major distributions, including Debian, Ubuntu, and Fedora, have already begun distributing packages. Updates are released through their official channels. For systems where a patch is not immediately available, researchers have proposed a workaround: deploying a custom polkit rule.
Esta The rule immediately and silently denies PackageKit installation actions. For any user other than root, this prevents the race condition window from opening. It's important to note that, although the exploit is fast and silent, it leaves a clear trace in the system logs: after a successful exploit, the PackageKit daemon crashes due to an assertion failure (assertion failed: (!transaction->priv->emitted_finished)). Although systemd restarts the service, preventing a denial-of-service attack, the presence of this message in journalctl is a strong indicator that the system has been compromised.
Finally, if you are interested in learning more about this, you can consult the details in the following link.