Pardus Linux Local Privilege Escalation Flaw Allows Silent Root Access
Pardus Linux Local Privilege Escalation Flaw Allows Silent Root Access
https://cybersecuritynews.com/pardus-linux-privilege-escalation-flaw/
Publish Date: 2026-05-20 10:15:00
Source Domain: cybersecuritynews.com
A critical vulnerability chain affecting Pardus Linux has been disclosed, allowing local users to gain full root privileges without authentication.
The issue, assigned a CVSS v3.1 score of 9.3, impacts the pardus-update package, a core component responsible for system updates in the Debian-based distribution maintained by TÜBİTAK.
Pardus is widely deployed across government institutions, educational environments, and enterprise systems in Turkey, making this flaw particularly significant in shared and multi-user environments.
Security researcher Çağrı Eser (0xc4gr1) identified that the issue is not a single bug, but a combination of three weaknesses that together enable complete system compromise.
These include a PolicyKit (Polkit) misconfiguration, a carriage return-line feed (CRLF) injection flaw, and an untrusted file path vulnerability.
Pardus Linux Privilege Escalation Flaw
The first issue lies in the Polkit policy configuration. Critical update actions, such as aptupdateaction and autoaptupgradeaction, were configured with “allow_any=yes,” allowing any user to execute privileged operations without authentication.
This effectively grants passwordless root execution of backend Python scripts via pkexec.
The second flaw exists in the SystemSettingsWrite.py script, which writes user-controlled input into a configuration file.
While newline characters are filtered, carriage return characters are not. This allows attackers to inject arbitrary configuration entries into /etc/pardus/pardus-update.conf.
By crafting a malicious input, attackers can insert a custom APT source path pointing to a file under their control.
The third issue arises in AutoAptUpgrade.py, which processes the manipulated configuration.
The script blindly copies attacker-supplied APT source files into /etc/apt/sources.list.d/ without validation. This enables attackers to introduce a malicious repository and trigger package installation as…
