Pack2TheRoot (CVE-2026-41651): Cross-Distro Local Privilege Escalation Vulnerability 22 Apr 2026 Today we publicly disclose a high-severity vulnerability (CVSS 3.1: 8.8) - in coordination with distro maintainers - that affects multiple Linux distributions in their default installations. The Pack2TheRoot vulnerability can be exploited by any local unprivileged user to obtain root access on a vulnerable system. The vulnerability lies in the PackageKit daemon , a cross-distro package management abstraction layer. The vulnerability enables an unprivileged attacker to install or remove system packages without authorization. This can be exploited to gain full root access or compromise the system in other ways. The Pack2TheRoot (CVE-2026-41651) vulnerability was discovered by Deutsche Telekom’s Red Team during targeted research into local privilege escalation vectors on modern Linux systems. PackageKit as a candidate initially caught our attention when we observed that a pkcon install command could install a system package without requiring a password on a Fedora Workstation. Starting in 2025, we began investigating whether this behavior could be abused to achieve arbitrary package installation. By guiding the AI-assisted research into a specific direction (using Claude Opus by Anthropic) we were able to discover an exploitable vulnerability. The finding was manually reviewed and verified before being responsibly reported to the PackageKit maintainers, who confirmed the issue and its exploitability. Which versions and systems are vulnerable? All PackageKit versions between >= 1.0.2 and <= 1.3.4 are vulnerable. Since PackageKit 1.0.2 was released over 12 years ago, this leaves a broad attack surface across Linux distributions. Exploitability has been explicitly tested and confirmed on the following distributions in default installations with apt and dnf package manager backends: Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta). Ubuntu Server 22.04 - 24.04 (LTS) Debian Desktop Trixie 13.4 RockyLinux Desktop 10.1 Fedora 43 Desktop Fedora 43 Server It is reasonable to assume that all distributions that ship PackageKit with it enabled are vulnerable. Since PackageKit is an optional dependency of the Cockpit project , many servers with Cockpit installed might be vulnerable as well, including Red Hat Enterprise Linux (RHEL). The vulnerability is fixed in PackageKit release 1.3.5 and distribution backports. Updates should be available from today 2026-04-22 12:00 CEST. How to check if your system is vulnerable It is not sufficient to simply grep through the process list, as PackageKit and Cockpit are not necessarily running as persistent processes as they can be activated on demand through D-Bus. First check if PackageKit is installed on your system and compare it with vulnerable versions , e.g. dpkg -l | grep -i packagekit or rpm -qa | grep -i packagekit Note grep ’s -i flag, as the package may be installed in camel case as PackageKit . To check if the PackageKit daemon is available, run systemctl status packagekit or pkmon . If systemctl shows it as loaded or running , or pkmon shows transaction output, the daemon is active and your system is potentially exploitable if unpatched. Updated Packages Despite of the fixed release 1.3.5 , multiple Distributions released patched packages. In the following, we link the Distros package overviews, that show Distro specific patched versions. Debian: https://security-tracker.debian.org/tracker/CVE-2026-41651 Ubuntu: https://bugs.launchpad.net/bugs/cve/2026-41651 Fedora 42 - 44: Fixed in PackageKit-1.3.4-3 https://koji.fedoraproject.org/koji/packageinfo?packageID=5206 Indicators of compromise (IOC) Even though the vulnerability is reliably exploitable in seconds, it leaves traces that serve as a strong indicator of compromise. After successful exploitation, the PackageKit daemon hits an assertion failure and crashes. Systemd recovers the daemon on the next D-Bus invocation, preventing a denial-of-service, but the crash is observable in the system logs: # journalctl --no-pager -u packagekit | grep -i emitted_finished Apr 18 09:56:36 Rocky10 packagekitd[2082]: PackageKit:ERROR:../src/pk-transaction.c:514:pk_transaction_finished_emit: assertion failed: (!transaction->priv->emitted_finished) Apr 18 09:56:36 Rocky10 packagekitd[2082]: Bail out! PackageKit:ERROR:../src/pk-transaction.c:514:pk_transaction_finished_emit: assertion failed: (!transaction->priv->emitted_finished) Technical Details We currently do not share technical details on the root cause of the vulnerability. We plan to add them at a later point in time here. Proof-of-Concept We have developed a working proof-of-concept that reliably exploits this vulnerability to achieve root code execution from an unprivileged local user on default installations of various distributions. However, the PoC code is not being shared publicly at this time for obvious reasons. Credits A huge thank you goes to PackageKit maintainer Ma...