A high-severity Linux vulnerability known as “Pack2TheRoot” (CVE-2026-41651) has been identified in PackageKit, a widely used package management component, allowing attackers to gain full root access on affected systems.
The flaw is caused by a time-of-check time-of-use (TOCTOU) race condition in how PackageKit handles transaction flags. This issue allows unprivileged users to manipulate package installation processes and execute actions with elevated permissions.
By exploiting this vulnerability, a local attacker can install or remove software packages without authentication, effectively bypassing security controls. This enables execution of arbitrary code with root privileges, leading to complete system compromise.
The vulnerability affects PackageKit versions from 1.0.2 to 1.3.4 and may have existed for over a decade, making it particularly concerning due to its long exposure across multiple Linux distributions, including Ubuntu, Debian, and Fedora.
Security researchers noted that the bug stems from multiple logic flaws—such as overwriting transaction flags during execution and improper state handling—which together allow attackers to inject malicious parameters into running processes.
With a CVSS score of around 8.8, the vulnerability is considered highly dangerous, especially since it requires only low-level local access and no user interaction to exploit.
A patch has been released in PackageKit version 1.3.5, and Linux distributions are rolling out updates. Experts strongly recommend immediate patching, as the flaw is easy to exploit and can grant attackers full administrative control over affected systems.
The discovery highlights ongoing risks in widely deployed system components, where even subtle race condition bugs can lead to severe privilege escalation and long-term security exposure.
 has been identified in PackageKit, a widely used package...){kind=link}