12-year-old Pack2TheRoot bug lets Linux users gain root privileges

Staff Editor 2026-04-24
12-year-old Pack2TheRoot bug lets Linux users gain root privileges

12-year-old Pack2TheRoot bug lets Linux users gain root privileges

https://securityaffairs.com/191231/security/12-year-old-pack2theroot-bug-lets-linux-users-gain-root-privileges.html

Publish Date: 2026-04-24 15:48:00

Source Domain: securityaffairs.com

12-year-old Pack2TheRoot bug lets Linux users gain root privileges

Pierluigi Paganini
April 24, 2026

‘Pack2TheRoot’ flaw lets local Linux users gain root via PackageKit. CVE-2026-41651 (8.8) has existed for nearly 12 years.

The Pack2TheRoot flaw, tracked as CVE-2026-41651, lets unprivileged users install or remove system packages without authorization, potentially gaining full root access.

The vulnerability is rated high severity, CVSS score of 8.8, and has existed for nearly 12 years.

Discovered by Deutsche Telekom’s Red Team, it stems from PackageKit allowing commands like “pkcon install” to run without a password on some systems. Researchers used AI (Claude Opus) to explore the issue, confirmed it manually, and responsibly disclosed it to maintainers, who validated the flaw.

“Today we publicly disclose a high-severity vulnerability (CVSS 3.1: 8.8) – in coordination with distro maintainers – that affects multiple Linux distributions in their default installations. The Pack2TheRoot vulnerability can be exploited by any local unprivileged user to obtain root access on a vulnerable system.” reads the advisory published by Deutsche Telekom. “The vulnerability lies in the PackageKit daemon, a cross-distro package management abstraction layer.

Details of the Pack2TheRoot flaw were disclosed alongside a fix in PackageKit 1.3.5, though exploit code was withheld to allow patching. Deutsche Telekom researchers found that PackageKit could run commands like “pkcon install” without authentication in some cases on Fedora, enabling package installation. The researchers used the Claude Opus AI tool to explore this behavior further and identified the vulnerability as CVE-2026-41651.

All PackageKit versions from 1.0.2 to 1.3.4 are vulnerable, affecting many Linux distributions for over 12 years. Tested systems include Ubuntu, Debian, Fedora, and Rocky Linux, and others…

Source

More Stories

Linuxiac Weekly Wrap-Up: Week 23, 2026 (June 1

Linuxiac Weekly Wrap-Up: Week 23, 2026 (June 1

Staff Editor 2026-06-07
HandBrake fixes 2-pass encode crashes, WebM on Linux

HandBrake fixes 2-pass encode crashes, WebM on Linux

Staff Editor 2026-06-07
Yay 12.6 AUR Helper Lands After Six Months with Smarter Search

Yay 12.6 AUR Helper Lands After Six Months with Smarter Search

Staff Editor 2026-06-07

Terms and Conditions - Privacy Policy