A race condition in the PackageKit cross-distro package management abstraction layer has been described as easily exploitable, allowing unprivileged users to install packages with root privileges. The flaw, tracked as CVE-2026-41651 with a CVSS of 8.1, is a time-of-check time-of-use (TOCTOU) issue on transaction flags and is referred to as Pack2TheRoot.
According to Deutsche Telekom’s Red Team, which discovered the vulnerability, Linux distributions including Ubuntu Desktop 18.04, 24.04.4, 26.04, Ubuntu Server 22.04–24.04, Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, Fedora 43 Desktop and Server, have been confirmed affected; Red Hat Enterprise Linux (RHEL) servers with Cockpit installed may also be vulnerable.
A NIST advisory reads that unprivileged users can exploit Pack2TheRoot to install arbitrary RPM packages as root, including scriplets, without authentication. The flaw has been confirmed to impact PackageKit versions 1.0.2 to 1.3.4, though it likely existed since version 0.8.1 released 14 years ago, and patches appear in PackageKit 1.3.5 along with updates for Debian, Ubuntu and Fedora.