Two Critical Linux Vulnerabilities Exposed: "Pack2TheRoot" and "CopyFail"

Two distinct security vulnerabilities affecting Linux systems have been disclosed, prompting urgent patching efforts from major distributions.

Vulnerability Overview

CVE-2026-41651: "Pack2TheRoot"

Technical Details

The vulnerability exists in the PackageKit daemon and involves insufficient authentication checks in specific command execution pathways, such as the pkcon install command.

This allows local users with limited privileges to install or remove system packages, potentially leading to root-level access.

The flaw has been present since at least PackageKit version 1.0.2 (November 2014) and affects versions up to 1.3.4.

Discovery and Disclosure

• Discovered by: Researchers from Deutsche Telekom Red Team during an internal investigation
• Analysis tool: The AI system Claude Opus was used for further analysis
• Disclosure date: April 8, 2026 (to Red Hat and PackageKit maintainers)

A proof-of-concept exploit has not been publicly released to allow time for patching.

Affected Systems

Distributions with PackageKit installed and enabled by default are considered potentially at risk:

• Ubuntu (Desktop and Server, LTS releases and beta)
• Debian (Desktop Trixie 13.4)
• Rocky Linux
• Fedora (Desktop and Server)

The vulnerability has been particularly observed in Fedora environments.

Response and Mitigation

• A patched version, PackageKit 1.3.5, has been released.
• Users are advised to upgrade to PackageKit version 1.3.5 or later
• Verify using package management commands
• Review system logs for unexpected daemon crashes
• Disable or remove PackageKit if the service is not required

CVE-2026-31431: "CopyFail"

Technical Details

The "Copy Fail" vulnerability is a logic flaw in the authentication encryption ("authenc") template within the Linux kernel's cryptographic subsystem.

The flaw enables a controlled 4-byte write into the page cache of any readable file via the AF_ALG interface and splice() system call.

Attackers can modify setuid-root executables to escalate privileges. The root cause traces back to a 2017 performance optimization that allowed buffer reuse, originating from a logic flaw in the algif_aead module.

A commit from August 2017 introduced an in-place optimization that can cause a page-cache page to end up in a kernel writable scatterlist during an AEAD operation submitted over an AF_ALG socket.

The vulnerability affects Linux kernel versions since 4.14 (2017).

Discovery and Disclosure

• Discovered by: Researchers at Theori using their AI-assisted platform Xint Code
• Disclosure date: March 23, 2026 (to Linux kernel security team)
• Patches released within approximately one week
• Incorporated into kernel versions 6.18.22, 6.19.12, and 7.0
• Patch added to mainline Linux kernel on April 1, 2026

Details were published before all affected distributions could release patches. A proof-of-concept exploit (732-byte Python script) has been developed and demonstrated.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reports active exploitation in the wild and ordered U.S. federal civilian agencies to patch affected systems by May 15.

Affected Systems

Affected distributions include:

• Red Hat Enterprise Linux 10.1
• Ubuntu 24.04 LTS
• Amazon Linux 2023
• SUSE 16
• Debian
• Fedora
• Arch Linux

Multi-tenant servers, Kubernetes and container platforms, CI pipelines, and cloud SaaS environments are prioritized for patching.

The exploit can bypass container sandboxes because the page cache is shared across processes.

The exploit requires no race condition or kernel offset knowledge. The bug involves page-cache corruption that does not mark pages as dirty, allowing modifications to go undetected by monitoring tools such as AIDE, Tripwire, and OSSEC.

Comparison to Dirty Pipe

The Copy Fail vulnerability is considered more portable, reliable, and simpler to exploit than CVE-2022-0847 (Dirty Pipe), though it arises from a different subsystem.

Response and Mitigation

For unpatched systems, disabling the algif_aead kernel module is recommended:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead

• This blocks the attack vector by preventing AF_ALG socket creation
• Major Linux distributions have begun patching, though formal advisories referencing CVE-2026-31431 are not always published
• Some distributions (Arch Linux, RedHat Fedora, Amazon Linux) have released patches, while others have not yet addressed the issue

System administrators are urged to apply patches immediately, especially for multi-tenant and cloud environments where the risk of exploitation is highest.