The Pack2TheRoot vulnerability (CVE-2026-41651, CVSS 8.8) in the PackageKit daemon allows local unprivileged users to escalate to root by executing package management commands like `pkcon install` without authentication. It affects PackageKit versions 1.0.2 through 1.3.4, impacting default installations of major Linux distributions. The flaw is fixed in PackageKit version 1.3.5, which administrators must deploy to mitigate the risk.
Vulnerability Management , Privileged access management , Patch/Configuration Management Pack2TheRoot flaw allows Linux privilege escalation April 27, 2026 Share By SC Staff (Adobe Stock) A vulnerability dubbed Pack2TheRoot, identified as CVE-2026-41651, has been publicly disclosed, enabling unprivileged local users to gain root access on affected Linux systems. This flaw, which has persisted for nearly 12 years, allows unauthorized installation or removal of system packages. The vulnerability was discovered by Deutsche Telekom's Red Team and has a high severity rating with a CVSS score of 8.8, as reported by Security Affairs. The Pack2TheRoot vulnerability resides within the PackageKit daemon, a package management abstraction layer used across multiple Linux distributions. Versions from 1.0.2 to 1.3.4 are affected, impacting default installations on systems like Fedora, Ubuntu, and Debian. Researchers found that PackageKit could execute commands such as "pkcon install" without requiring a password on certain configurations, thereby facilitating privilege escalation. Deutsche Telekom's team utilized the AI tool Claude Opus to further investigate the issue before responsibly disclosing it to maintainers, who have since validated the flaw and released a fix in PackageKit version 1.3.5. While a fix is available in PackageKit 1.3.5, the onus is now on Linux distributions and system administrators to deploy patches promptly to mitigate the risk of exploitation. Source: Security Affairs SC Staff Related Email security Thousands of Zimbra servers vulnerable to actively exploited flaw SC Staff April 27, 2026 The vulnerability affects Zimbra Collaboration Suite versions 8.8.15, 9.0, 10.0, and 10.1. AI/ML LMDeploy vulnerability exploited, highlighting AI infrastructure risks SC Staff April 27, 2026 The SSRF vulnerability resides within LMDeploy's vision-language module, specifically in the load_image() function, which fails to validate internal or private IP addresses when fetching URLs. Endpoint/Device Security CrowdStrike and Tenable address critical vulnerabilities in security products SC Staff April 27, 2026 CrowdStrike issued an advisory for CVE-2026-40050, a critical unauthenticated path traversal vulnerability impacting its LogScale product. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Access Control Biometrics Buffer Overflow Bug Challenge-Handshake Authentication Protocol (CHAP) Digest Authentication Digital Certificate Discretionary Access Control (DAC) Escrow Passwords Finger You can skip this ad in 5 seconds