Recent TOCTOU vulnerability in PackageKit allows attackers to escalate privileges to root. The vulnerability, Pack2TheRoot (CVE-2026-41651), is analyzed by our colleague Vadim, who also explains how to protect yourself. Read more: purpleshift.io/purple/2026-0…

Matthias Klumpp: Introducing pkgcli: A nicer command-line interface for PackageKit bit.ly/3Qdya6F

Nice! PackageKit?

CVE-2026-41651 — Pack2TheRoot: PackageKit Üzerinden Root'a Giden Yarış Koşulu infinitumit.com.tr/blog/cve-…

🚨 CVE-2026-41651 'Pack2TheRoot' (PackageKit 1.0.2–1.3.4): TOCTOU race → any local user → root on DEFAULT Linux installs. PoC on GitHub. Ubuntu 22/24, RHEL 9/10, Fedora all affected. 27d old — barely patched. Linux admins: update PackageKit NOW. #ZeroDay #Linux #LPE

systemd systemd-resolved Snap Forced Firefox Snap AppArmor by default Netplan cloud-init Ubuntu Pro nagging and MotD advertising Amazon search lens history Telemetry Unattended upgrades GNOME (itself) GNOME heavily patched by Canonical NetworkManager journald binary logs PolicyKit / polkit D-Bus dependency sprawl PackageKit / Software Center layers PPA culture Apt mixed with Snap mixed with Flatpak Canonical NIH syndrome: Upstart, Unity, Mir, Snap, Launchpad, Bazaar, Netplan: Canonical keeps inventing its own stack, then sometimes abandoning parts of it. Launchpad centralization ESM / security update segmentation Livepatch as a Canonical service Advantage/Pro client packages Apport Whoopsie Tracker / indexing services — GNOME file indexers that can chew resources and feel invasive. Avahi zeroconf/mDNS daemon running for local network discovery, sometimes unnecessary attack surface. CUPS browsing / printer auto-discovery ModemManager often installed even when you do not use mobile broadband. Bluetooth stack always lurking BlueZ and GUI layers. A pile of background daemons for “convenience” the classic Ubuntu problem: usable, but increasingly less minimalist and less legible. Corporate desktop assumptions Debian base with Canonical control layer on top. The tragedy: underneath is Debian; above it is a Canonical product funnel. That's just off the top of my head to start.

Check out our latest episode of Wordfence Security News | Week of April 27, 2026 Stories we cover: • BreezeCache critical file upload flaw exploited within 24 hours of disclosure • 22,000 exploit attempts blocked across nearly 5,000 sites targeting BreezeCache • Over 1,300 unique IPs now attacking BreezeCache - 900 appeared on April 29th alone • Bitwarden CLI supply chain attack via malicious NPM package version 2026.4.0 • TeamPCP linked to broader Checkmarx compromise hitting Docker, GitHub Actions, and extensions • ADT breach by ShinyHunters - 5.5M unique emails tracked by Have I Been Pwned • Pack2TheRoot privilege escalation in PackageKit affects 12 years of Linux distributions Subscribe on your favorite podcasting platform to get weekly security updates. youtu.be/w9JqM0rXhVM

📢⚠️ #Pack2TheRoot exposes a 12-year-old flaw in Linux’s PackageKit, letting unprivileged users gain root access in seconds. Affects major distros, patch now Read: hackread.com/pack2theroot-li… #Linux #CyberSecurity #Vulnerability #PackageKit

CVE-2026-41651: PackageKit <= 1.3.4: TOCTOU vulnerability in leads to local root exploit openwall.com/lists/oss-secur… D-Bus abstraction layer for distribution package management. Vulnerability allows to install/remove arbitrary packages, leading to a local root exploit.

🚨 Critical - PackageKit Local Privilege Escalation (CVE-2026-41651) Unprivileged local users can install arbitrary RPM packages as root via a TOCTOU race condition on transaction flags. This allows full local privilege escalation execution of RPM scriptlets as root. 👉Upgrade to v1.3.5 to mitigate the risk

For the curious about the mechanics: it's a TOCTOU on transaction->cached_transaction_flags. Three bugs in the code let those flags get rewritten between authorization and execution - classic race window. Affected versions: PackageKit 1.0.2 through 1.3.4. Fixed in 1.3.5.

If you haven't patched today, now would be a good time. "Pack2TheRoot" in PackageKit lets any local user install system packages without a password - and become root. Affects Debian, Fedora, Ubuntu, Rocky in default config. CVSS 8.8. Updates have been out since April 22.

⚙️ وش هو (PackageKit) ؟ هي خدمة تعمل في خلفية النظام (Background Daemon) تدير عمليات تثبيت وتحديث وحذف الحزم (Packages) في أنظمة لينكس. الخلل موجود في آلية معالجة الطلبات، بحيث تسمح بتنفيذ أوامر حساسة (مثل pkcon install) بدون ما تطلب من المستخدم أي مصادقة (Authentication Bypass).

🚨Claude Opus اكتشف ثغرة عمرها 12 سنة في انظمه لينكس الثغرة في (PackageKit) وتعطي المهاجم صلاحيات Root على النظام. رقم الثغرة: CVE-2026-41651 | التقييم: 8.8 (High). التفاصيل التقنية في التغريدات التالية : 🧵👇

⚠️ Pack2TheRoot Une faille vieille de 12 ans a été patchée dans un composant utilisé par de nombreux Linux : PackageKit. Par exemple, la faille est exploitable sur Debian 13.4 et Fedora 43. Plus d'infos 👇 - it-connect.fr/pack2theroot-c… #linux #infosec #cybersecurite

12年物の脆弱性"Pack2TheRoot" (CVE-2026-41651)はLinuxでroot権限を取得可能。CVSSスコア8.8。PackageKitデーモンの脆弱性で、バージョン1.0.2から1.3.4が脆弱。Claude Opusで発見し、人手で裏取り。技術的詳細は後日開示予定。 securityaffairs.com/191231/s…

🐧A 12-year-old privilege escalation bug in PackageKit lets local users gain root without authentication. CVSS 8.8. Affects Ubuntu, Debian, Fedora, RockyLinux and likely any distro with PackageKit pre-installed. Patch is out: PackageKit 1.3.5. Update now. 📄Source: Deutsche Telekom Red Team / BleepingComputer 👉Follow @VulnerabilityNw IOCs and details on our Telegram → t.me/VulnerabilityNews

Acaba de confirmarse: una vulnerabilidad de 12 años en Linux llamada Pack2TheRoot permite a los usuarios locales obtener privilegios de root y potencialmente acceder a todo el sistema. El CVE-2026-41651, con una puntuación CVSS de 8.8, ha existido durante casi 12 años y afecta a sistemas Linux que utilizan PackageKit, permitiendo a usuarios no privilegiados instalar o remover paquetes del sistema sin autorización. La vulnerabilidad se explota a través de PackageKit, lo que podría permitir a un atacante local obtener acceso de root y control total sobre el sistema. Los sistemas Linux que utilizan PackageKit están en riesgo, especialmente si no tienen parches actualizados o si no han implementado controles de acceso adecuados. La gravedad de esta vulnerabilidad es alta, ya que podría permitir a un atacante tomar el control completo de un sistema Linux. Es importante que los administradores de sistemas Linux revisen sus sistemas y apliquen los parches necesarios para mitigar esta vulnerabilidad. ¿Estás en riesgo? Revisa esto: asegúrate de que tus sistemas Linux estén actualizados y que no utilicen PackageKit sin los parches adecuados. securityaffairs.com/191231/s…

🚩12-Year-Old PackageKit Flaw Allows Local Users to Gain Root Access securityaffairs.com/191231/s… A 12-year-old PackageKit flaw, now tracked as CVE-2026-41651, can let a local unprivileged Linux user gain root access. The bug, called Pack2TheRoot, affects PackageKit versions 1.0.2 through 1.3.4 and has been seen across multiple distros, including Ubuntu, Debian, Fedora, and Rocky Linux. The fix is in PackageKit 1.3.5, but distro patches may vary. Check if PackageKit is installed on your system and update it if necessary. #Linux #Cybersecurity #InfoSec #PackageKit

今日の業界速報分析。AIが生むものとAIが壊すもの。 ■ Microsoft / Windows ・Windows Update刷新、月1再起動とスキップ機能。7621件のフィードバックが土台 ■ Linux / OSS ・Linuxカーネル7.1、AI生成バグ報告の洪水で13万8161行を一括削除 ・PackageKitに12年潜んだ脆弱性「Pack2TheRoot」、発見にClaude Opusが活躍 ・GCCもAIポリシー策定へ、作業部会を設置 ■ AI ・DeepSeek V4公開、自ら「フロンティアから3〜6ヶ月遅れ」と明記する異例のリリース ・Google、Anthropicへ最大400億ドル投資。Amazonと条件瓜二つで循環取引の様相 ・「独立系ジャーナリズム」を謳うニュースサイト、記者は全員AI。資金源はOpenAI幹部のPAC ・Claude Opus 4.7、安全装置が暴走しサイバーセキュリティ教授の正当な業務まで拒否 ・マスク対アルトマン、4月27日開廷。請求額1340億ドル ■ ゲーム ・Steamで2万本以上を所有するコレクター120人時代、首位は約1.2億円分 ■ メモリ / ストレージ ・サムスン半導体、労組集会1日でメモリ稼働率18.4%減・ファウンドリ58.1%減 ・DDR5メモリ、日本で4ヶ月ぶり値下がり。64GBキットが8万円割れ ■ その他 ・Cisco製ファイアウォールにパッチで消えないバックドア「FIRESTARTER」、駆除は電源断 ・SS7の古傷が暴く監視業界、4時間で11事業者・9カ国を使い分けた攻撃の生々しい記録 事実の輪郭、その奥まで。 note.com/joho_no_todai/n/n05…