Pack2TheRoot Linux Vulnerability Exposes Local Privilege Escalation Risk

A local privilege escalation vulnerability dubbed Pack2TheRoot has been identified in PackageKit, a system software management daemon present on numerous Linux distributions. According to Deutsche Telekom’s Red Team, which discovered the flaw, the vulnerability allows an unprivileged local user to achieve root code execution on default installations.

Affected distributions include Ubuntu Desktop 18.04 (end-of-life), 24.04.4 (LTS), and 26.04 (LTS beta), along with Ubuntu Server 22.04 through 24.04 (LTS). Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, Fedora 43 Desktop, and Fedora 43 Server are also vulnerable. Deutsche Telekom notes that “all distributions that ship PackageKit with it enabled are vulnerable,” and that many servers running Cockpit (which lists PackageKit as an optional dependency) may be affected, including Red Hat Enterprise Linux systems.

The vulnerability exploits a race condition through the AF_ALG socket type, a kernel-backed interface for cryptographic primitives. By leveraging splice operations, an attacker can write four bytes into a page cached in the kernel’s page cache, potentially allowing modification of memory belonging to other processes. According to one observer familiar with the matter, such timing-based vulnerabilities (TOCTOU bugs) cannot be algorithmically detected and must be discovered through manual analysis, making them notoriously difficult to identify during code review.

However, the threat has already been substantially mitigated. PackageKit version 1.3.5 addressed the vulnerability, and patches have been included in recent Debian, Ubuntu, and Fedora updates. The Linux kernel itself received a silent fix approximately one month before public disclosure. Red Hat systems compile the vulnerability into the kernel but allow users to disable it via boot parameters.

The practical impact remains limited. The vulnerability requires local access and affects primarily systems running PackageKit with default configurations. Many hardened deployments either don’t load the affected module or have already applied patches. Embedded devices and systems on extended support cycles that receive infrequent updates represent the highest-risk category.

Deutsche Telekom has developed a working proof-of-concept but is withholding it from public release. The vulnerability highlights ongoing challenges in maintaining security across large, complex codebases like the Linux kernel, where new features occasionally introduce subtle flaws despite rigorous development processes.