A new vulnerability dubbed Pack2TheRoot could be exploited in the PackageKit daemon to allow local Linux users to install or remove system packages and gain root permissions.

The flaw is identified as CVE-2026–41651 and received a high-severity rating of 8.8 out of 10. It has persisted for almost 12 years in the PackageKit daemon, a background service that manages software installation, updates, and removal across Linux systems.

Earlier this week, some information about the vulnerability has been published, along with PackageKit version 1.3.5 that addresses the issue. However, technical details and a demo exploit have been not been disclosed to allow the patches to propagate.