Ethical Hacking News
A new vulnerability dubbed Pack2TheRoot has been discovered in the PackageKit daemon, allowing local users to install or remove system packages and gain root access on Linux systems. The vulnerability, identified as CVE-2026-41651, affects various Linux distributions and persists across multiple versions of the package. To mitigate this risk, users are advised to upgrade to PackageKit version 1.3.5 and take proactive steps to secure their systems against potential attacks.
The Linux community has been alerted to a new vulnerability, Pack2TheRoot, which could grant hackers root access on Linux systems. The vulnerability affects the PackageKit daemon, a background service responsible for managing software installation and updates across various Linux distributions. The bug has persisted in the PackageKit daemon for nearly 12 years, with the first public disclosure of its existence happening recently. Researchers from Deutsche Telekom's Red Team discovered the vulnerability by exploiting a weakness in how PackageKit handles package management requests. Users are advised to upgrade to PackageKit version 1.3.5 and ensure that any other software relying on the package has been moved to a safe release. The researchers noted strong signs indicating compromise, even if systemd recovers the daemon, due to potential risks highlighted by system logs.
The Linux community has been alerted to a new vulnerability dubbed Pack2TheRoot, which could potentially grant hackers root access on Linux systems. This vulnerability, identified as CVE-2026-41651, is a serious issue that affects the PackageKit daemon, a background service responsible for managing software installation, updates, and removal across various Linux distributions.
For nearly 12 years, this vulnerability has persisted in the PackageKit daemon, with the first public disclosure of its existence happening only recently. The mechanism behind the bug involves the way PackageKit handles package management requests, specifically with commands like 'pkcon install' that can execute without requiring authentication under certain conditions. This weakness allows an attacker to install a system package without being authenticated.
Researchers from Deutsche Telekom's Red Team have been instrumental in uncovering this vulnerability. Their investigation revealed that the cause of the bug lies in the way PackageKit handles package management requests, allowing for arbitrary commands to be executed without user interaction. Using the Claude Opus AI tool, they further explored the potential for exploiting this behavior and discovered the CVE-2026-41651 vulnerability.
The researchers reported their findings to Red Hat and PackageKit maintainers on April 8, stating that it is safe to assume that all distributions that come with PackageKit pre-installed and enabled out-of-the-box are vulnerable to this issue. The vulnerability has been present in PackageKit version 1.0.2, released in November 2014, and affects all versions through 1.3.4.
Testing by the researchers confirmed that an attacker could exploit CVE-2026-41651 on various Linux distributions, including Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta), Ubuntu Server 22.04 – 24.04 (LTS), Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, Fedora 43 Desktop, and Fedora 43 Server. Although the list is not exhaustive, any Linux distribution using PackageKit should be treated as potentially vulnerable to attacks.
To mitigate this vulnerability, users are advised to upgrade to PackageKit version 1.3.5 as soon as possible and ensure that any other software relying on the package has been moved to a safe release. Users can use commands like 'dpkg -l | grep -i packagekit' or 'rpm -qa | grep -i packagekit' to check if they have a vulnerable version of PackageKit installed, and 'systemctl status packagekit' or 'pkmon' to verify that the PackageKit daemon is running.
While details on exploitation are scarce, the researchers noted strong signs indicating compromise. Even if the systemd recovers the daemon, the crash observed in system logs suggests potential risks. As this vulnerability persists across various Linux distributions and has been present for nearly a decade, it highlights the need for regular security updates and careful management of software dependencies.
In light of this new discovery, users must prioritize package upgrades and take proactive steps to secure their systems against potential attacks. This vulnerability serves as a stark reminder of the importance of staying informed about emerging risks in the Linux community and maintaining up-to-date software dependencies.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Linux-Vulnerability-The-Pack2TheRoot-Flaw-Exposed-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-pack2theroot-flaw-gives-hackers-root-linux-access/
https://teamwin.in/critical-pack2theroot-vulnerability-let-attackers-gain-root-access-or-compromise-the-system/
https://nvd.nist.gov/vuln/detail/CVE-2026-41651
https://www.cvedetails.com/cve/CVE-2026-41651/
Published: Fri Apr 24 12:53:29 2026 by llama3.2 3B Q4_K_M
