A critical local privilege escalation vulnerability chain tracked as CVE-2026–5140 has exposed serious security weaknesses in Pardus Linux. Researchers revealed that the flaws allow any unprivileged local user to gain full root access without authentication, potentially leading to complete system compromise within seconds.
The vulnerability affects the pardus-update package, which handles system updates through graphical tools and privileged Python helper scripts. The issue received a CVSS v3.1 score of 9.3, classifying it as “Critical.” The published vector is:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Maintained by TÜBİTAK, Pardus Linux is widely used across Turkish government institutions, schools, and enterprise environments. Researchers stated that the attack chain behind CVE-2026–5140 combines three separate vulnerabilities: a Polkit authorization bypass, a CRLF injection flaw, and an untrusted search path issue.
Polkit Misconfiguration Opens the Door
The first issue was identified in the file:
/usr/share/polkit-1/actions/tr.org.pardus.pkexec.pardus-update.policy
Researchers discovered that several privileged actions were configured with unrestricted access permissions:
<defaults>
<allow_any>yes</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
Because of this configuration, any local user could execute privileged operations through pkexec without entering an administrator password. The vulnerable actions included aptupdateaction, autoaptupgradeaction, and systemsettingswrite.
This allowed attackers to run the following scripts as root:
- SystemSettingsWrite.py
- AutoAptUpgrade.py
CRLF Injection Enables Configuration Manipulation in Pardus Linux
The second flaw in CVE-2026–5140 involved SystemSettingsWrite.py, which writes user-controlled input into the configuration file:
/etc/pardus/pardus-update.conf
Although Python’s ConfigParser sanitizes newline characters (\n), it does not properly filter carriage returns (\r). Attackers could exploit this weakness using the following payload:
123\rcustom_sourcesd_path=/tmp/pwn.list
The injected carriage return caused the parser to interpret the second part as a new configuration entry:
custom_sourcesd_path=/tmp/pwn.list
This gave attackers control over the APT source configuration used by the update system.
Malicious Repository Leads to Root Access
The final stage of CVE-2026–5140 targeted AutoAptUpgrade.py, which copied attacker-controlled .list files directly into /etc/apt/sources.list.d/ without validating the source path.
Researchers demonstrated a proof-of-concept attack by creating a malicious Debian package that modified /bin/bash with the SUID bit through a postinst script:
#!/bin/sh
chmod +s /bin/bash
exit 0
The exploit was triggered with two commands:
pkexec /usr/share/pardus/pardus-update/src/SystemSettingsWrite.py write \
lastupgrade $’123\rcustom_sourcesd_path=/tmp/pwn.list’
pkexec /usr/share/pardus/pardus-update/src/AutoAptUpgrade.py
After execution, attackers could gain a root shell using:
/bin/bash -p
Researchers confirmed the attack provided full administrative access, including the ability to read sensitive files, install persistent backdoors, overwrite system files, and completely take over vulnerable Pardus Linux systems.
The vulnerability was discovered and documented on March 13, 2026, by Çağrı Eser. Researchers advised administrators to harden Polkit rules immediately, sanitize CRLF characters in user input, and restrict APT source paths to trusted directories to mitigate CVE-2026–5140.
