GoKawiilA new vulnerability dubbed Pack2TheRoot could be exploited in the PackageKit daemon to allow local Linux users to install or remove system packages and gain root permissions.
The flaw is identified as CVE-2026-41651 and received a medium-severity rating of 8.8 out of 10. It has persisted for almost 12 years in the PackageKit daemon, a background service that manages software installation, updates, and removal across Linux systems.
Earlier this week, some information about the vulnerability has been published, along with PackageKit version 1.3.5 that addresses the issue. However, technical details and a demo exploit have been not been disclosed to allow the patches to propagate.
An investigation from the Deutsche Telekom Red Team uncovered that the cause of the bug is the mechanism PackageKit uses to handle package management requests.
Specifically, the researchers found that commands like ‘pkcon install’ could execute without requiring authentication under certain conditions on a Fedora system, allowing them to install a system package.
Using the Claude Opus AI tool, they further explored the potential for exploiting this behavior and discovered CVE-2026-41651.
Redacted PoC exploit for Pack2TheRoot
Source: Deutsche Telekom
Impact and fixes
Deutsche Telekom's Red Team reported their findings to Red Hat and PackageKit maintainers on April 8. They state that it’s safe to assume that all distributions that come with PackageKit pre-installed and enabled out-of-the-box are vulnerable to CVE-2026-41651.
... continue reading