REPRODUCIBILITY: ?
OS VERSION: 5.0.0.76
HARDWARE: N/A → PackageKit
UI LANGUAGE: NA
REGRESSION: ?

DESCRIPTION:

The next lines are copy / paste.. translated and slightly edited. it requires a local user, sooo not that critical on a phone with one user, but good to patch anyway

Summary:

Several popular Linux distributions contain a serious vulnerability that allows privileges to be escalated from any user to root. Updates are expected shortly.

Situation:

On 22 April 2026, Deutsche Telekom (DTCERT) reported a serious vulnerability affecting several major Linux distributions [1].

The vulnerability, referred to as Pack2TheRoot, lies in the PackageKit component. Exploitation makes it possible to:

• Elevate privileges from any user to root (No CVE yet / CVSSv3 8.8 (CRITICAL))

The technique behind the attack involves tricking the package management system into adding or removing system packages without the necessary permissions. This can in turn be exploited to grant an attacker arbitrary privileges.

The following versions of PackageKit are vulnerable:

• Versions from 1.0.2 up to and including 1.3.4 (the vulnerability is fixed in version 1.3.5)

1:
Pack2TheRoot (CVE-2026-41651): Cross-Distro Local Privilege Escalation Vulnerability | Telekom Security

2:
Do not allow re-invoking methods on non-new transactions · PackageKit/PackageKit@76cfb67 · GitHub

PRECONDITIONS:

Having PackageKit in the system.

I see: GitHub - sailfishos/PackageKit · GitHub

STEPS TO REPRODUCE:

1. Having PackageKit in the system.

EXPECTED RESULT:

ACTUAL RESULT:

MODIFICATIONS:

ADDITIONAL INFORMATION:

Backport of the fix backport: Do not allow re-invoking methods on non-new transactions by mlehtima · Pull Request #5 · sailfishos/PackageKit · GitHub