CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Privilege escalation vulnerability in PackageKit (CVE-2026-41651) enables root access via PackageKit daemon

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A local privilege escalation vulnerability in the PackageKit daemon, tracked as CVE-2026-41651, allows unauthenticated users to execute arbitrary package installation or removal commands, leading to full root access on affected Linux systems. The flaw has existed for approximately 12 years in PackageKit versions up to 1.3.4 and impacts default installations across multiple major Linux distributions. Deutsche Telekom’s Red Team discovered the issue through authentication bypass in command handling, particularly in 'pkcon install' operations on Fedora systems. No public exploit code or technical details have been released to facilitate patching. The flaw carries a CVSS score of 8.8 (Medium severity) due to its high impact on confidentiality, integrity, and availability.

Timeline

  1. 24.04.2026 20:28 1 articles · 18h ago

    PackageKit vulnerability (CVE-2026-41651) disclosed with patch availability

    Deutsche Telekom’s Red Team disclosed a local privilege escalation vulnerability in PackageKit (CVE-2026-41651) to maintainers and Red Hat on April 8, 2026. A patch was released in PackageKit 1.3.5 on April 23, 2026, addressing the flaw in versions 1.0.2 through 1.3.4. No exploit code or technical details were published to prevent widespread abuse during patch deployment.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-41651 is a locally exploitable flaw in PackageKit (versions 1.0.2 through 1.3.4) that enables unauthenticated package management commands to escalate privileges to root.

    First reported: 24.04.2026 20:28
    1 source, 1 article
    Show sources

  • The vulnerability stems from improper authentication checks in PackageKit’s request handling mechanism, specifically during 'pkcon install' operations on Fedora systems.

    First reported: 24.04.2026 20:28
    1 source, 1 article
    Show sources

  • Deutsche Telekom’s Red Team reported the issue to Red Hat and PackageKit maintainers on April 8, 2026, and confirmed exploitation via daemon assertion failures and crashes in system logs.

    First reported: 24.04.2026 20:28
    1 source, 1 article
    Show sources

  • Affected distributions include Ubuntu Desktop (18.04 EOL, 24.04.4 LTS, 26.04 LTS beta), Ubuntu Server (22.04–24.04 LTS), Debian Trixie 13.4, RockyLinux 10.1, and Fedora 43 Desktop/Server; any distribution with PackageKit enabled is potentially vulnerable.

    First reported: 24.04.2026 20:28
    1 source, 1 article
    Show sources

  • PackageKit versions prior to 1.3.5 are vulnerable. Users are advised to upgrade immediately and verify the daemon is patched to prevent exploitation.

    First reported: 24.04.2026 20:28
    1 source, 1 article
    Show sources