THE Pack2TheRoot flaw, tracked as CVE-2026-41651, lets unprivileged local Linux users install or remove system packages without authorisation, potentially gaining full root access. It affects multiple Linux distributions in their default installations and has existed for nearly 12 years, with PackageKit versions from 1.0.2 to 1.3.4 being vulnerable.
Deutsche Telekom’s Red Team discovered the issue, which stems from PackageKit allowing commands such as pkcon install to run without a password on some systems, and researchers used the Claude Opus AI tool to explore it. The advisory published by Deutsche Telekom states that the vulnerability can be exploited by any local unprivileged user to obtain root access on a vulnerable system, and a fix was released in PackageKit 1.3.5, with patches deployed on 22 April 2026.
Tested systems include Ubuntu, Debian, Fedora and Rocky Linux, though other distributions using PackageKit may also be at risk. To mitigate, users are urged to update to version 1.3.5 or later and verify PackageKit status on their systems, noting that PoC code has not been released publicly to prevent abuse.