„Pack2TheRoot“: Security vulnerability affects several Linux distributions
The Telekom security team has discovered the "Pack2TheRoot" vulnerability, which allows privilege escalation in several distributions.
(Image: Shutterstock)
“Pack2TheRoot”: This is what the Telekom security team calls a recently discovered vulnerability in PackageKit, which allows attackers to escalate their privileges on the system. Several Linux distributions in their standard configuration are affected.
This is reported by Telekom on their security pages. PackageKit is an abstraction layer for D-Bus for securely managing packages for any distribution and architecture. The vulnerability allows attackers with low privileges on the system to install or remove system packages – without authorization. This allows malicious actors to gain root privileges, among other things, or to compromise the system in other ways.
The security vulnerability is based on a Time-of-Check-Time-of-Use error (TOCTOU), a race condition for transaction flags, more specifically the transaction->cached_transaction_flags. Three errors in the code lead to the flags being overwritable, between the time of authorization and execution (CVE-2026-41651, CVSS 8.8, risk “high”). Thus, the risk is only narrowly not classified as critical.
Corrected Software
PackageKit versions 1.0.2 to 1.3.4 are affected. As of version 1.3.5 or newer, the developers have patched the security vulnerabilities. Software management, especially for larger distributions, has provided updated packages since April 22, 2026, which IT managers should apply promptly. Telekom hints at a proof-of-concept but does not publish it (yet) for security reasons.
Videos by heise
Telekom IT researchers discovered the vulnerability with the support of Anthropic's Claude Opus. This is further evidence that vulnerability research with AI is now delivering solid results. However, many projects are discontinuing premium payments for bug reports due to the numerous AI reports. The search was triggered by unusual behavior of “pkcon install” on a Fedora workstation, which was able to install a system package without requiring a password.
Several Linux distributions in their standard installation are impacted. Telekom lists Debian Desktop Trixie 13.4, Fedora 43 Desktop and Server, RockyLinux Desktop 10.1, Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS Beta) and finally Ubuntu Server 22.04 – 24.04 (LTS). These are at least the distributions that the IT researchers explicitly tested. However, it is reasonable to assume that all distributions that ship PackageKit and activate it by default are vulnerable.
(dmk)
