CVE-2026-41651: Pack2TheRoot: The PackageKit Race That Gives Any Local User Root on Ubuntu, Debian, and Fedora
By Parth Shukla · 2026-04-24
CVE-2026-41651 (Pack2TheRoot): PackageKit TOCTOU race grants root to any local user. CVSS 8.8, Ubuntu/Debian/Fedora affected. Patch to 1.3.5 immediately.
#cve #linux #packagekit #privilege-escalation #toctou #ubuntu #debian #fedora
How to check if you are exposed to CVE-2026-41651
- Check installed PackageKit version (Debian/Ubuntu): dpkg -l packagekit | awk 'NR>2 {print $2, $3}' # Vulnerable if version < 1.3.5 (e.g., 1.3.0, 1.2.8, etc.)
- Check installed PackageKit version (RHEL/Fedora/Rocky): rpm -qa PackageKit --qf '%{NAME} %{VERSION}-%{RELEASE}\n' # Vulnerable if version < 1.3.4-3 (Fedora backport) or < 1.3.5 (upstream)
- Check if the PackageKit daemon is running: systemctl status packagekit # If Active: active (running) or Active: inactive (auto-start on demand), # the daemon is present. "Not found" means PackageKit is not installed.
- Check for exploitation indicators in system logs: journalctl -u packagekit --since "2026-04-22" | grep -i "assertion\|failed\|crash\|emitted_finished" # An assertion failure at pk-transaction.c:514 is the canonical exploitation indicator
- Check for unexpected recently installed packages (possible post-exploit payload): # Debian/Ubuntu: grep "install " /var/log/dpkg.log | tail -50 # RHEL/Fedora/Rocky: rpm -qa --last | head -30
- Identify Cockpit-exposed servers in your network: # (Cockpit wraps PackageKit for web-based package management on port 9090) while IFS= read -r ip; do curl -sk --max-time 3 "http://$ip:9090/" \ | grep -qi "cockpit\|cockpit-bridge" && echo "COCKPIT FOUND: $ip" done < server-ip-ranges.txt # Any Cockpit instance on an unpatched server is a priority patching target
Frequently asked questions
What is CVE-2026-41651?
CVE-2026-41651 is a TOCTOU race condition (CWE-367, CVSS 8.8) in the PackageKit daemon that allows any locally authenticated user to silently install — or remove — system packages with root privileges, without triggering a polkit password prompt. The attack operates entirely over D-Bus (local IPC), requires only a standard user account, and produces no visible prompt to the user or administrator during execution. Post-exploitation consequence is full system compromise: malicious packages install arbitrary binaries or cron jobs as root, remove security tooling, or execute RPM/DEB scriptlets with root-level OS access. The vulnerability affects all PackageKit releases from 1.0.2 (2013) through 1.3.4, spanning virtually every Linux desktop distribution shipped in the last decade that uses PackageKit for software management. Discovered by Deutsche Telekom's Red Team. Fixed in PackageKit 1.3.5, released April 22, 2026. No public PoC exploit code has been released; the researchers are intentionally withholding full technical details to give distributions time to push the patch. Update immediately via your distribution's package manager.
Is CVE-2026-41651 being actively exploited?
Deutsche Telekom's Red Team first noticed the flaw when a pkcon install command succeeded on Fedora Workstation without producing a password prompt — on a standard non-privileged user account. That observation triggered the deeper analysis that identified the three-bug TOCTOU chain.
Am I exposed to CVE-2026-41651?
A system is exposed if it runs PackageKit 1.0.2 through 1.3.4 and has any user-level access — local, SSH, or otherwise — that an attacker could reach. The relevant question for server teams is not just "do our desktop machines run PackageKit?" but also "do our cloud VMs, CI/CD runners, or Cockpit-managed servers run PackageKit?"
How do I fix CVE-2026-41651?
On servers where PackageKit is not required for operations (i.e., software updates are handled via automation, not GNOME Software or Cockpit's package panel), masking the service eliminates the attack surface entirely: