CVE-2026–5140 Flaw Grants Root Access On Pardus Linux
CVE-2026–5140 Flaw Grants Root Access On Pardus Linux
https://thecyberexpress.com/cve-2026-5140-pardus-linux-root-access-flaw/
Publish Date: 2026-05-21 02:46:00
Source Domain: thecyberexpress.com
A critical local privilege escalation vulnerability chain tracked as CVE-2026–5140 has exposed serious security weaknesses in Pardus Linux. Researchers revealed that the flaws allow any unprivileged local user to gain full root access without authentication, potentially leading to complete system compromise within seconds.
The vulnerability affects the pardus-update package, which handles system updates through graphical tools and privileged Python helper scripts. The issue received a CVSS v3.1 score of 9.3, classifying it as “Critical.” The published vector is:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Maintained by TÜBİTAK, Pardus Linux is widely used across Turkish government institutions, schools, and enterprise environments. Researchers stated that the attack chain behind CVE-2026–5140 combines three separate vulnerabilities: a Polkit authorization bypass, a CRLF injection flaw, and an untrusted search path issue.
Polkit Misconfiguration Opens the Door
The first issue was identified in the file:
/usr/share/polkit-1/actions/tr.org.pardus.pkexec.pardus-update.policy
Researchers discovered that several privileged actions were configured with unrestricted access permissions:
yes
yes
yes
Because of this configuration, any local user could execute privileged operations through pkexec without entering an administrator password. The vulnerable actions included aptupdateaction, autoaptupgradeaction, and systemsettingswrite.
This allowed attackers to run the following scripts as root:
- SystemSettingsWrite.py
- AutoAptUpgrade.py
CRLF Injection Enables Configuration Manipulation in Pardus Linux
The second flaw in CVE-2026–5140 involved SystemSettingsWrite.py, which writes user-controlled input into the configuration file:
/etc/pardus/pardus-update.conf
Although Python’s ConfigParser sanitizes newline characters (n), it does not properly filter carriage returns (r). Attackers could exploit…
