New ‘Pack2TheRoot’ flaw gives hackers root Linux access

A critical local privilege escalation vulnerability (CVE-2026-41651), dubbed Pack2TheRoot, has been discovered in the PackageKit daemon affecting Linux systems. Present since PackageKit version 1.0.2 (November 2014), the flaw allows local users to install or remove system packages without authentication under certain conditions, effectively gaining root access. Confirmed vulnerable distributions include Ubuntu, Debian, Fedora, and RockyLinux. The fix is available in PackageKit version 1.3.5, released this week. Users can check their installed version and daemon status using provided commands. Exploitation leaves observable traces in system logs via daemon crashes.