Any organization running Linux desktops or multi-user Linux servers where employees, contractors, or other authenticated users have local access is exposed to full system compromise from within, requiring no network access and no special technical skill given the public exploit. A compromised root account on an endpoint or server can be used to exfiltrate data, install persistent backdoors, move laterally, or disable security controls — each of which carries potential regulatory notification obligations depending on the data handled. The 12-year window of exposure means any unpatched Linux system in your fleet may have been silently vulnerable throughout its operational life.
You Are Affected If
You run PackageKit version 1.0.2 through 1.3.4 on any Linux system (check with 'pkcon --version' or 'rpm -q packagekit' / 'dpkg -l packagekit')
You operate Ubuntu Desktop 18.04, 24.04.4 LTS, or 26.04 LTS beta; Ubuntu Server 22.04–24.04 LTS; Debian Desktop Trixie 13.4; Rocky Linux Desktop 10.1; or Fedora 43 Desktop or Server with default package configurations
Local user access is granted to non-administrator users on affected systems, including developer workstations, shared servers, VDI environments, or contractor-accessible machines
PackageKit is enabled and running (systemctl is-active packagekit returns 'active') and has not been masked or disabled as a hardening measure
You have not yet applied the PackageKit 1.3.5 update from your distribution's vendor security channel
Board Talking Points
A flaw discovered in widely used Linux software allows any user with a login account on an affected system to take full control of that system — no hacking skills required, given a working exploit is publicly available.
IT and security teams should identify and patch all affected Linux systems to version PackageKit 1.3.5 within 72 hours, prioritizing servers and shared workstations where multiple users have access.
Organizations that do not patch remain exposed to insider threat escalation, contractor abuse, or post-breach lateral movement that could result in full system compromise and potential regulatory notification obligations.
