Pack2TheRoot (CVE-2026-41651): Cross-Distro Local Privilege Escalation Vulnerability
Posted by FryBoyter@reddit | linux | View on Reddit | 15 comments
Extra-Papaya-365@reddit
If patches fixing the exploit are now available, what is the purpose of withholding technical details? Couldn't sufficiently-interested parties examine the source differences between 1.3.5 and the last release and, if not derive the root cause themselves, use this as a focal point for attack development? (Can't help but notice that the last commit before the 1.3.5 release, following a slow trickle of i18n changes over the last couple months, is addressing cases where "a client misbehaves"...)
lathiat@reddit
There are no actual technical details in this blog
thefossguy69@reddit
I am bad at recalling CVE IDs but a PackageKit CVE and respective patch was made public last week.
thefossguy69@reddit
Yep, found it. The fix was public when a security contact informed me of the public disclosure for this vulnerability.
https://security-tracker.debian.org/tracker/CVE-2026-4165
Offtopic: I've found Debian's security tracker to be extremely reliable in pointing me to an upstream patch(set) for any given CVE. I recommend it over RedHat's and SUSE's. Source: I remediate CVEs in an EL-based LTS product at $dayjob.
FryBoyter@reddit (OP)
I suspect that Telekom wants to wait until as many users of the affected distributions as possible have had a chance to install the updates.
MatchingTurret@reddit
CrazyKilla15@reddit
okay you can unpatch your computer and wait until someone whose never heard of it discovers it independently if you want.
MatchingTurret@reddit
I'm perfectly OK with the patch. I just pointed out that this is one of the vulnerabilities discovered by AI. Some people (not me) doubt that this is actually happening.
tonymurray@reddit
I don't doubt it is happening, but the noise ratio is very high. Not only that the reports look plausible at first glance. It only takes people a little time to generate an AI report, but it can take hours to verify them.
Hmm, I wonder how open source is doing?
MatchingTurret@reddit
Things changed.
tonymurray@reddit
Well, as a maintainer of an open source project I can tell you that definitely the volume did change and the amount of my time that is wasted is killing my desire to contribute.
FryBoyter@reddit (OP)
This information is also included in the article I linked to.
More_Implement1639@reddit
Very nice finding.
MatchingTurret@reddit
Claude Mythos.
StartersOrders@reddit
I know that Deutsche Telekom will have a stake in this (which is why they've been looking for things like this), but it's mice to see big companies helping with Linux's security piece.