title: Possible Pack2TheRoot exploitation (CVE-2026-41651)
id: 3f2b8d54-skeletonkey-pack2theroot
status: experimental
description: |
  Detects the file-side footprint of Pack2TheRoot (CVE-2026-41651): a
  non-root user triggers PackageKit InstallFiles, dpkg runs a postinst
  that drops /tmp/.suid_bash (a setuid bash), and a privileged shell
  follows. The trigger itself is two back-to-back D-Bus calls with no
  polkit prompt — only visible via dbus-monitor or the file side
  effects flagged below.
references:
  - https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
  - https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
  - https://github.com/Vozec/CVE-2026-41651
logsource:
  product: linux
  service: auditd
detection:
  suid_drop:
    type: 'PATH'
    name|startswith:
      - '/tmp/.suid_bash'
      - '/tmp/.pk-payload-'
      - '/tmp/.pk-dummy-'
  not_root:
    auid|expression: '!= 0'
  condition: suid_drop and not_root
level: high
tags:
  - attack.privilege_escalation
  - attack.t1068
  - cve.2026.41651