Critical ‘Pack2TheRoot’ Linux Flaw Enables Root Access
Unprivileged Users Can Install Arbitrary Packages as Root Via Easily Exploitable Pack2TheRoot Vulnerability
A high-severity vulnerability in the PackageKit cross-distribution package management abstraction layer has been disclosed, allowing unprivileged users to install packages with root privileges.
- The flaw, tracked as CVE-2026-41651, is a time-of-check time-of-use (TOCTOU) race condition on transaction flags.
- Dubbed Pack2TheRoot, this bug involves a combination of three issues, where caller-supplied flags are written without verifying whether the transaction is authorized or even when the transaction is active.
- As a result, the backend sees the attacker’s flags due to the flags being read at dispatch rather than at authorization time.
This security defect affects PackageKit versions 1.0.2 to 1.3.4, although it is believed to have existed since version 0.8.1, which was released 14 years ago.
- Multiple Linux distributions have confirmed their involvement, including:
- Ubuntu Desktop 18.04
- Ubuntu Server 22.04
- Debian Desktop Trixie 13.4
- RockyLinux Desktop 10.1
- Fedora 43 Desktop
- Fedora 43 Server
Patches addressing this vulnerability have been incorporated into recent Debian, Ubuntu, and Fedora updates, specifically in PackageKit version 1.3.5.
In related news, multiple organizations have warned of exploited Linux vulnerabilities, while others have highlighted the use of old techniques by malicious actors. Furthermore, various reports have discussed recent Microsoft Defender vulnerabilities, Apache ActiveMQ exploits, and wiper malware targeting the Venezuelan energy sector prior to US intervention.
About Author
English