12-year-old 'Pack2TheRoot' bug in PackageKit gives any local user root on default Ubuntu, Debian, Fedora, and RHEL/Cockpit installs (CVE-2026-41651)

Deutsche Telekom's Red Team disclosed CVE-2026-41651, a local privilege escalation in the PackageKit daemon that has shipped in default Linux installations since November 2014. Any unprivileged local user can invoke 'pkcon install' without a polkit prompt, install or remove arbitrary packages, and escalate to root. CVSS 8.8. Confirmed-vulnerable defaults include Ubuntu Desktop and Server LTS, Debian Trixie, Rocky Linux 10.1, and Fedora 43; any RHEL server running Cockpit is also exposed because Cockpit loads PackageKit on demand via D-Bus. PackageKit 1.3.5 fixes it. The researchers credited Anthropic's Claude Opus with helping guide the discovery.

Check

Inventory every Linux endpoint and server for PackageKit, patch to 1.3.5 today, and audit historical journalctl output for the assertion-failure IoC.

Affected

PackageKit versions 1.0.2 through 1.3.4 (every release between November 2014 and the April 22, 2026 fix). Default Ubuntu Desktop and Server LTS, Debian Trixie 13.4, Rocky Linux 10.1, Fedora 43. Plus any RHEL or CentOS server running Cockpit, which loads PackageKit on demand via D-Bus.

Fix

Update PackageKit to 1.3.5 across the fleet. Verify with 'dpkg -l | grep packagekit' or 'rpm -qa | grep packagekit'. A process-list grep is insufficient because PackageKit is D-Bus-activated. Hunt past exploitation via 'journalctl -u packagekit | grep emitted_finished' for assertion-failure crashes. Where patching is delayed, mask the systemd unit and disable Cockpit.