A serious flaw in PackageKit lets unprivileged users escalate to root while installing packages, and Deutsche Telekom’s Red Team says it can be done in seconds. The bug, tracked as CVE-2026-41651 and described as Pack2TheRoot, carries a CVSS score of 8.1.
The vulnerability is a time-of-check time-of-use race condition on transaction flags. PackageKit writes caller-supplied flags without checking whether the transaction is authorized or even whether it is still running, and the backend reads those flags at dispatch rather than at authorization time. That gives the attacker’s flags a path into the transaction at the wrong moment, letting them use Pack2TheRoot to install arbitrary RPM packages as root, including scriplets, without authentication.
Deutsche Telekom’s Red Team found the flaw before the report was published, and the company warned that an attacker could use it for “root access or compromise the system in other ways.” It also said that, “Even though the vulnerability is reliably exploitable in seconds, it leaves traces that serve as a strong indicator of compromise.” Those traces matter because the exploit does not stay quiet: after successful abuse, the PackageKit daemon hits an assertion failure and crashes, then systemd brings it back on the next D-Bus invocation. The crash is visible in system logs.
PackageKit versions 1.0.2 through 1.3.4 are confirmed to be affected, and the flaw likely existed since version 0.8.1, which was released 14 years ago. Version 1.0.2 dates to 12 years ago. Confirmed affected distributions include Ubuntu Desktop 18.04, Ubuntu Desktop 24.04.4, Ubuntu Desktop 26.04, Ubuntu Server 22.04 to 24.04, Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, Fedora 43 Desktop and Fedora 43 Server. It is reasonable to assume that any distribution shipping PackageKit with it enabled is vulnerable, and many servers with Cockpit installed may also be exposed, including Red Hat Enterprise Linux.
PackageKit is a cross-distro package management abstraction layer, and the flaw lands in a place where that design creates broad reach. Cockpit uses PackageKit as an optional dependency, which is why the problem extends beyond desktops into server deployments. Pack2TheRoot was addressed in PackageKit version 1.3.5, and recent Debian, Ubuntu and Fedora updates have already included patches. For administrators, the key shift is simple: a local packaging helper that was meant to smooth updates could instead hand an unprivileged user the keys to the machine if it was left unpatched.
