Deutsche Telekom Red Team discloses and fixes 12-year-old Pack2TheRoot Linux vulnerability
Updated
Updated · Security Affairs · Apr 25
Deutsche Telekom Red Team discloses and fixes 12-year-old Pack2TheRoot Linux vulnerability
5 articles · Updated · Security Affairs · Apr 25
The CVE-2026-41651 flaw, rated CVSS 8.8, allows unprivileged local users to gain root access via PackageKit on default installations of Ubuntu, Debian, Fedora, Rocky Linux, and others.
Researchers used AI tool Claude Opus to identify the bug, which affects PackageKit versions 1.0.2 to 1.3.4 and has now been patched in version 1.3.5, with patches released April 22, 2026.
Exploit code remains private to prevent abuse, but indicators of compromise were released. Users are urged to check for vulnerable PackageKit versions and update immediately, as the flaw persisted undetected for nearly 12 years.
A critical Linux bug hid in plain sight for 12 years. How many more are still lurking?
AI helped find a major Linux flaw, but is the AI itself becoming a security risk?
Why did a simple race condition in Linux's PackageKit go undetected for over a decade?
How can one command give hackers total control of millions of Linux desktops and servers?
As AI uncovers more 'ancient' bugs, can open-source projects handle the patching flood?
Is the 'Zero Trust' security model the only way to prevent future decade-old vulnerabilities?