Pack2TheRoot: 12-Year-Old Linux PackageKit Flaw Enables Full Compromise
Pack2TheRoot: 12-Year-Old Linux PackageKit Flaw Enables Full Compromise
https://hackread.com/pack2theroot-linux-packagekit-flaw-full-compromise/
Publish Date: 2026-04-28 13:22:00
Source Domain: hackread.com
Researchers from Deutsche Telekom’s Red Team have identified a high-severity security flaw in PackageKit, the software that helps in managing packages across different Linux systems. The flaw, dubbed Pack2TheRoot and tracked as CVE-2026-41651 with CVSS 3.1: 8.8, is a serious issue as it allows an unprivileged user to gain root access on a computer.
Pack2TheRoot was discovered in 2025 after the team noticed the ‘pkcon install’ command on Fedora Workstation functioning without a password. By using Anthropic’s Claude Opus to identify a specific privilege escalation vector, they found that this flaw lies deep within the PackageKit daemon background service, which handles software installations, and could be triggered in seconds.
“The vulnerability enables an unprivileged attacker to install or remove system packages without authorization. This can be exploited to gain full root access or compromise the system in other ways,” the team explained in the blog post.
The technical exploit
According to the Red Team’s research, the problem is a Time-of-Check Time-of-Use (TOCTOU) race condition located in the src/pk-transaction.c file. It happens because of three main errors in the code of the PackageKit daemon. Firstly, the InstallFiles() function lets new instructions overwrite old ones even while a process is already running.
Then, the system fails to block the software from moving backwards into an insecure state once instructions are corrupted. And lastly, the system waits until the very last moment to read security flags instead of checking them at the start.
These errors, the researcher explained, can be exploited by a hacker to install their own RPM packages and run RPM scriptlets, allowing them to obtain Local Privilege Escalation (LPE). This means that an unprivileged local user can become a system administrator without authentication.
Although this attack occurs quickly, it can still leave a trace because the PackageKit…
