VulnerabilityBleeping Computer
8.8 — CRITICAL
New ‘Pack2TheRoot’ flaw gives hackers root Linux access
A new vulnerability dubbed Pack2TheRoot could be exploited in the PackageKit daemon to allow local Linux users to install or remove system packages and gain root permissions. [...]
🤖 AI BriefingAuto-generated threat analysis
🔍Threat Overview
A new vulnerability, Pack2TheRoot (CVE-2026-41651), allows local Linux users to install or remove system packages and gain root permissions due to a time-of-check time-of-use (TOCTOU) race condition in PackageKit. This flaw has persisted for almost 12 years, affecting multiple Linux distributions.
⚙️Technical Details
CVEs
CVE-2026-41651
Affected Systems
Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta)Ubuntu Server 22.04 – 24.04 (LTS)Debian Desktop Trixie 13.4RockyLinux Desktop 10.1Fedora 43 DesktopFedora 43 ServerAttack Vector: LOCAL
💥Impact Assessment
Severity: HIGH
🛡️Recommended Actions
1Upgrade to PackageKit version 1.3.5 as soon as possible
2Check if the PackageKit daemon is running and available with commands like dpkg -l | grep -i packagekit or rpm -qa | grep -i packagekit
3Ensure that any other software using PackageKit has been moved to a safe release
📦Affected Products
Packagekit Project Packagekit
🔐NVD Verified DataVERIFIED
CVE-2026-41651 ↗CVSS 8.8 — HIGH
Attack Vector
LOCAL
Complexity
LOW
Vector String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HWeaknesses
CWE-367
Affected Products (CPE)
Packagekit Project Packagekit
Read the full article
This is a curated summary. The complete article is available at Bleeping Computer.