High-severity Vulnerability in PackageKit

A local, privilege escalation vulnerability exists in all versions of PackageKit from 1.02 through and including 1.3.4.

David Both April 25, 2026 1 minute read

PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distro, cross-architecture API.

The vulnerability

All versions of PackageKit between >= 1.0.2 and <= 1.3.4, from November 2014 though now, contain a local privilege escalation vulnerability identified as Pack2TheRoot (CVE-2026-41651): Cross-Distro Local Privilege Escalation Vulnerability. This vulnerability was recently identified by Deutsche Telekom Security as part of their research into local privilege escalation attack vectors.

This vulnerability allows a local, non-privileged user to escalate their privilege in order to install or remove packages in order to damage the system or to further compromise it.

The details of exploiting this vulnerability have not been released in the interest of security.

The fix

Updating to PackageKit 1.3.5 closes the vulnerability. The patched version of the software is available, but not all distros have yet made it available.