Pack2TheRoot vulnerability – A long-lived PackageKit vulnerability (CVE-2026-41651) may let local users install/remove system packages and escalate to root. Patch via PackageKit 1.3.5 and verify your daemon.
A newly disclosed Linux vulnerability, dubbed Pack2TheRoot, is turning heads because it targets PackageKit—a service most admins rarely think about until it breaks.
Security teams say the issue (CVE-2026-41651. rated 8.8/10) could allow a local attacker to install or remove system packages and. in the process. gain root permissions.. What makes the story more worrying is the timeline: the flaw appears to have existed for nearly 12 years inside the PackageKit daemon. which quietly handles software installation. updates. and removal in the background.
At the center of the investigation is how PackageKit processes package management requests.. Researchers from Misryoum’s newsroom briefing report that specific command paths—such as using pkcon install—could execute in situations where authentication wasn’t properly enforced.. On a real system. that’s the difference between “you can install a user-level app” and “you can touch system-level packages. ” which is exactly the bridge that can lead to root.
Misryoum understands that the vulnerability was identified and analyzed as part of the ongoing work around PackageKit’s request-handling behavior.. The reported remediation landed as PackageKit version 1.3.5. but Misryoum notes that detailed exploit demonstrations were not released publicly. likely to reduce the chance of rapid. opportunistic attacks before patches spread.
One of the most practical takeaways is distribution exposure.. Misryoum reports that researchers concluded “all distributions” shipping PackageKit pre-installed and enabled out of the box should be treated as vulnerable.. The affected range spans from PackageKit 1.0.2 (released in 2014) through 1.3.4. meaning this is not a niche edge case—it’s deeply embedded in long-running software stacks.
Where it gets concrete is the list of platforms that have been tested.. Misryoum briefing coverage highlights systems including Ubuntu Desktop 18.04 (end-of-life) and multiple Ubuntu LTS releases such as 24.04.4 and 26.04 beta. along with Ubuntu Server 22.04–24.04.. It also includes Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43 Desktop and Server.. The list isn’t meant to be exhaustive. so Misryoum’s editorial guidance for readers is simple: if your distribution uses PackageKit. assume you’re in scope until you verify the installed version.
From an admin’s perspective, the fix is straightforward: upgrade to PackageKit 1.3.5 as soon as possible. Misryoum also recommends checking that any other software depending on PackageKit has moved to safe releases, since the security problem can propagate through dependency chains.
To help validate whether you’re currently exposed, Misryoum provides the quick verification steps referenced in the disclosure.. You can check the installed version with commands like dpkg -l | grep -i packagekit on Debian-based systems. or rpm -qa | grep -i packagekit on RPM-based systems.. You can also confirm whether the daemon is present and running using systemctl status packagekit or pkmon—because even the best patch strategy starts with knowing what’s actually deployed.
Misryoum’s risk lens goes beyond “vulnerable vs.. patched.” The researchers indicate there are strong signs of compromise when exploitation occurs: the PackageKit daemon reportedly hits an assertion failure and crashes.. Even if systemd automatically restarts the service. the crash leaves traces in logs. which gives defenders a potential window for detection and containment—especially on machines where administrators monitor system events.