A newly disclosed vulnerability in a near-universal Linux component has handed any local, unprivileged user the keys to the entire system — no password, no exploit chain, no guesswork required.
Dubbed Pack2TheRoot and tracked as CVE-2026-41651, the flaw lives in PackageKit — the background daemon that most major Linux desktop distributions use to manage software installations without requiring users to drop into a terminal.
The bug has existed since PackageKit version 1.0.2, released over 12 years ago, meaning the vulnerable codebase has shipped inside countless Linux systems as a default component for well over a decade.
The vulnerability was uncovered by Deutsche Telekom's Red Team, who noticed something suspicious during routine research: running a simple pkcon install command on a Fedora Workstation could install a system package without prompting for a password. That oddity became a thread worth pulling.
The team — assisted by AI-guided analysis using Claude Opus — eventually identified an exploitable race condition (a flaw where two competing processes can be manipulated to produce an unintended outcome) that allows a low-privileged attacker to install or remove system packages entirely without authorisation, ultimately dropping into a full root shell.
The CVSS score is 8.8 (High), with low attack complexity and no user interaction required—a combination that makes this straightforwardly dangerous in any multi-user environment, shared server, or corporate Linux workstation.
Confirmed vulnerable distributions include Ubuntu Desktop 18.04, 24.04.4, and 26.04 beta; Ubuntu Server 22.04–24.04; Debian Trixie 13.4; Rocky Linux 10.1; and Fedora 43 Desktop and Server. The researchers also flag that servers running Cockpit — a popular web-based Linux admin panel — may be exposed even when PackageKit isn't running as a persistent service, since both tools activate on demand via D-Bus.
One usable indicator of compromise exists: after successful exploitation, the PackageKit daemon crashes with an assertion failure. Administrators can check system logs with journalctl -u packagekit | grep emitted_finished for evidence of prior exploitation.
The fix is already available. PackageKit 1.3.5 resolves the issue, and Debian, Ubuntu, and Fedora have released patched packages as of April 22, 2026. Users should run their system updater immediately and verify their installed PackageKit version via dpkg -l | grep -i packagekit or rpm -qa | grep -i packagekit.
Technical details of the root cause and the proof-of-concept exploit are being withheld pending broader adoption of the patch.