A high-severity privilege escalation vulnerability, dubbed Pack2TheRoot (CVE-2026-41651, CVSS 3.1: 8.8), has been publicly disclosed by Deutsche Telekom’s Red Team, affecting multiple major Linux distributions in their default installations. The flaw allows any local unprivileged user to silently install or remove system packages, ultimately achieving full root access without requiring a password. The vulnerability resides in the PackageKit daemon, a widely deployed cross-distribution package management abstraction layer used across Debian, Ubuntu, Fedora, and Red Hat-based systems. Exploiting this flaw, an attacker with basic local access can bypass authorization controls entirely, installing malicious packages or removing critical security components to compromise the system. According to Telekom Security, all PackageKit versions from 1.0.2 through 1.3.4 are affected, spanning over 12 years of releases, creating an exceptionally broad attack surface. Because PackageKit is too an optional dependency of the Cockpit server management project, enterprise servers running Cockpit including those running Red Hat Enterprise Linux (RHEL) may also be exposed. Exploitability has been tested and confirmed on the following default installations: Ubuntu Desktop 18.04, 24.04.4 LTS, and 26.04 LTS Beta Ubuntu Server 22.04 and 24.04 LTS Debian Desktop Trixie 13.4 Rocky Linux Desktop 10.1 Fedora 43 Desktop and Server Any distribution shipping PackageKit with it enabled should be considered potentially vulnerable. The vulnerability was discovered by Telekom Security during targeted research into local privilege escalation vectors on modern Linux systems. The team initially noticed that a pkcon install command could install a system package on Fedora Workstation without prompting for a password. Beginning in 2025, researchers leveraged Claude Opus by Anthropic to guide and accelerate their investigation, ultimately identifying the exploitable flaw. The finding was manually reviewed and verified before being responsibly reported to the PackageKit maintainers, who confirmed the issue and its exploitability. Exploitability has been explicitly tested and confirmed on the following distributions in default installations with apt and dnf package manager backends: Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta). Ubuntu Server 22.04 – 24.04. The vulnerability has been present in PackageKit version 1.0.2, released in November 2014, and affects all versions through 1.3.4, according to the project’s security advisory. Researchers’ testing have confirmed that an attacker could exploit the CVE-2026-41651 vulnerability in the following Linux distributions: Ubuntu Desktop 18.04 (EOL), 24.04.4 LTS, and 26.04 LTS Beta. Ubuntu Server 22.04 and 24.04 LTS. Debian Desktop Trixie 13.4. Rocky Linux Desktop 10.1. Fedora 43 Desktop and Server. A patched version, PackageKit 1.3.5, has been released to address the issue. However, technical details and a demo exploit have not been disclosed to allow the patches to propagate. Deutsche Telekom’s Red Team reported their findings to Red Hat and PackageKit maintainers on April 8. They state that it’s safe to assume that all distributions that come with PackageKit pre-installed and enabled out-of-the-box are vulnerable to CVE-2026-41651. The flaw is identified as CVE-2026-41651 and received a high-severity rating of 8.8 out of 10. It has persisted for almost 12 years in the PackageKit daemon, a background service that manages software installation, updates, and removal across Linux systems. Earlier this week, some information about the vulnerability has been published, along with PackageKit version 1.3.5 that addresses the issue. However, technical details and a demo exploit have been not been disclosed to allow the patches to propagate. An investigation from the Deutsche Telekom Red Team uncovered that the cause of the bug is the mechanism PackageKit uses to handle package management requests. Specifically, the researchers found that commands like ‘pkcon install’ could execute without requiring authentication under certain conditions on a Fedora system, allowing them to install a system package. Using the Claude Opus AI tool, they further explored the potential for exploiting this behavior and discovered CVE-2026-41651. Redacted PoC exploit for Pack2TheRoot Source: Deutsche Telekom.
49