A PackageKit, a D-Bus layer that unifies package management operations, was found to have a vulnerability named Pack2TheRoot (CVE-2026-41651). This vulnerability could allow an unprivileged user to install or remove any package and gain root access to the system. The issue was present in PackageKit versions starting from 1.0.2 (2014) but has been fixed in the latest release, PackageKit 1.3.5.
The vulnerability was discovered by researchers from Deutsche Telekom using the Claude Opus AI model. A working exploit has been prepared for the vulnerability, showcasing its impact on various distributions. However, the detailed information and exploit will be released later to allow users to update their systems. The exploit was demonstrated on distributions like Ubuntu Desktop 18.04/24.04.4/26.04, Ubuntu Server 22.04 – 24.04, Debian Desktop 13.4, RockyLinux Desktop 10.1, and Fedora 43 Desktop/Server. The status of vulnerability fixes in different distributions can be checked on the respective pages linked below: