"Tracked as CVE-2026-41651, the flaw is described as a time-of-check time-of-use (TOCTOU) race condition on transaction flags, allowing unprivileged users to install packages with root privileges."
"The security defect has been confirmed to impact PackageKit versions 1.0.2 to 1.3.4, but likely existed since version 0.8.1, which was released 14 years ago."
"According to Deutsche Telekom's Red Team, Linux distributions confirmed as affected include Ubuntu Desktop 18.04, 24.04.4, 26.04, Ubuntu Server 22.04 - 24.04, Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43."
"The company has refrained from sharing technical details on the flaw, noting that it is easily exploitable and that it could allow attackers to gain root access or compromise the system in other ways."
The vulnerability, known as Pack2TheRoot, is a TOCTOU race condition that allows unprivileged users to exploit transaction flags. This flaw affects PackageKit versions 1.0.2 to 1.3.4 and potentially earlier versions. It enables attackers to install arbitrary RPM packages as root without authentication. Affected Linux distributions include various versions of Ubuntu, Debian, RockyLinux, and Fedora. The flaw could lead to root access or system compromise, and it is reasonable to assume that all distributions using PackageKit are vulnerable.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]