Linux Privilege Escalation: “Pack2TheRoot” Flaw Impacts Major Distributions

A long-standing security flaw has been unearthed in a core component of the modern Linux desktop and server ecosystem. Known as Pack2TheRoot, this critical vulnerability resides in PackageKit, a D-Bus abstraction layer designed to allow users to manage software packages across different distributions and architectures in a unified, secure way.

The flaw, officially tracked as CVE-2026-41651, carries a high-severity CVSS score of 8.8. It allows unprivileged users to escalate their privileges to root, effectively gaining total control over the affected system.

The scope of this discovery is particularly alarming due to its age. The vulnerability impacts all PackageKit versions from 1.0.2 to 1.3.4. Because version 1.0.2 was released over 12 years ago, the “Pack2TheRoot” flaw has been present—and undetected—in the wild for over a decade, creating a “broad attack surface across Linux distributions”.

The “Pack2TheRoot” vulnerability is caused by a race condition. In the world of cybersecurity, a race condition occurs when a system’s security depends on the sequence or timing of uncontrollable events.

By exploiting this timing window within PackageKit’s package management process, a local, unprivileged attacker can bypass security checks. This allows them to trick the system into installing arbitrary packages with root-level permissions. Once an attacker can install software as root, they can deploy persistent backdoors, steal sensitive data, or disable security protocols.

Deutsche Telekom’s Red Team, who discovered the flaw, confirmed that default installations of several major distributions are vulnerable. The exploit has been successfully tested on systems using both apt and dnf package manager backends.

Verified vulnerable distributions include:

• Ubuntu Desktop: 18.04 (EOL), 24.04.4 (LTS), and 26.04 (LTS beta).
• Ubuntu Server: 22.04 through 24.04 (LTS).
• Debian Desktop: Trixie 13.4.
• RockyLinux Desktop: 10.1.
• Fedora 43: Both Desktop and Server versions.

The maintainers of PackageKit have released a patch (>= 1.3.5) to close the race condition. Administrators and users are urged to update their systems immediately to protect against local privilege escalation.