New ‘Pack2TheRoot’ Flaw Gives Hackers Root Linux Access

PackageKit is the default software‑management service on many desktop and server Linux distributions, handling installations, updates, and removals through a unified daemon. Because it runs with elevated privileges, any flaw in its request handling can have outsized consequences. The newly disclosed Pack2TheRoot vulnerability exploits a logic error that permits unauthenticated commands like pkcon install to execute as root, effectively turning a benign user action into a full system takeover. Its high CVSS score of 8.8 reflects both the ease of exploitation and the breadth of impact across a dozen popular distros.

The flaw was uncovered by Deutsche Telekom’s Red Team, who used Claude Opus to model the attack path and confirm CVE‑2026‑41651. Testing showed that any system with PackageKit versions 1.0.2 through 1.3.4 – released as early as November 2014 – could be compromised, including Ubuntu 18.04 (EOL), Ubuntu 24.04.4 LTS, Debian Trixie, Fedora 43, and Rocky Linux 10.1. In practice, an attacker who gains a foothold on a machine could silently install malicious packages, create backdoors, or exfiltrate data, all while the PackageKit daemon may crash and be silently restarted by systemd, leaving few immediate signs of intrusion.

Mitigation is straightforward: upgrade to PackageKit 1.3.5 or later and verify that the daemon is not running on systems where it is unnecessary. Administrators should audit installed packages with dpkg or rpm queries and monitor system logs for unexpected PackageKit crashes. The incident underscores the importance of regular security reviews for core system services and rapid patch deployment in the Linux ecosystem, especially as enterprises increasingly rely on Linux for critical infrastructure.