Pack2TheRoot: 12-year-old PackageKit flaw hands local users root on most Linux distros

A high-severity vulnerability in PackageKit, the daemon that brokers software install and update requests across most Linux distributions, lets unprivileged local users escalate to root. Tracked as CVE-2026-41651 with a CVSS of 8.8, the bug has been latent in the codebase since version 1.0.2 shipped in November 2014 and affects every release through 1.3.4. Deutsche Telekom’s Red Team traced it to a code path where commands like pkcon install skip the expected authentication step under certain conditions, and used Claude Opus to expand that primitive into a working root escalation.

Any distribution shipping PackageKit enabled by default should be treated as exposed. Confirmed targets so far include Ubuntu Desktop 18.04, 24.04.4 and 26.04 beta, Ubuntu Server 22.04 through 24.04, Debian Trixie 13.4, Rocky Linux 10.1, and both Fedora 43 Desktop and Server. The fix landed in PackageKit 1.3.5; technical write-ups and PoC code are being held back to give the patch time to propagate.

Exploitation is noisy: successful runs trip an assertion failure that crashes the daemon, leaving traces in system logs even after systemd restarts it. Admins can audit exposure with dpkg -l | grep packagekit or rpm -qa | grep packagekit, and confirm the daemon’s state via systemctl status packagekit. Given PackageKit’s ubiquity on desktop and server images alike, the patching window for defenders is narrow before working exploits surface publicly.