Turkey’s official government Linux distribution has a three-step vulnerability chain rated CVSS 9.3 that any logged-in user can follow to get a root shell — and there’s no patch yet.
CVSS 9.3 Privilege Escalation Chain Disclosed in Pardus Linux pardus-update Package
Security researcher Çağrı Eser (0xc4gr1) disclosed a three-vulnerability privilege escalation chain in the pardus-update package — a core system update component — that enables any local user to gain root access on Pardus Linux systems. The chain carries a CVSS score of 9.3, and no CVE has been assigned and no patch is available as of the May 20, 2026 disclosure date.
Pardus Linux is the official Linux distribution of the Turkish government, developed and maintained by TÜBİTAK (the Scientific and Technological Research Council of Turkey). It is deployed across Turkish government ministries, public schools, universities, and municipal systems as part of a national open-source initiative. The absence of a patch at time of disclosure means affected systems have no vendor-issued remediation to apply.
Three-Flaw Chain: PolicyKit Misconfiguration, CRLF Injection, and Rogue APT Installation
The privilege escalation chain combines three distinct weaknesses in pardus-update:
The first flaw is a PolicyKit misconfiguration with allow_any=yes that permits any unprivileged user to execute pardus-update‘s privileged operations via pkexec without authentication. Under a correctly hardened PolicyKit configuration, only authenticated administrators would be able to invoke these operations. The allow_any=yes setting removes that restriction entirely for local users.
The second flaw is a CRLF injection vulnerability in SystemSettingsWrite.py. The application filters newline characters (n) but not carriage return characters (r), which allows an attacker to inject malicious APT source paths into the configuration file by embedding carriage returns that bypass the newline filter.
The third flaw is in the path handling within AutoAptUpgrade.py, which blindly copies attacker-supplied APT source files into /etc/apt/sources.list.d/ without any path validation. Combined with the CRLF injection, this allows an attacker to place a rogue APT repository configuration file into the directory that the system’s package manager treats as authoritative.
From Three Flaws to a Root Shell: The Full Exploitation End State
Executing the three-step chain produces a root shell through a straightforward package manager manipulation: the attacker installs a .deb package from the rogue APT repository they introduced in step three. That package sets the SUID bit on /bin/bash, and any subsequent execution of /bin/bash -p grants an immediate root shell with no further interaction required.
The elegance — and danger — of this chain is that each individual flaw might appear manageable in isolation. The PolicyKit misconfiguration alone permits unprivileged access to update operations. The CRLF injection alone permits configuration file manipulation. The unvalidated APT source path alone permits rogue repository injection. Together, they form a reliable, low-complexity path from any authenticated local session to full root access.
No CVE, No Patch, and the Implications for Turkish Government IT
The absence of a CVE assignment at disclosure creates a structured notification gap. IT administrators in Turkish government ministries and educational institutions who rely on CVE-based vulnerability tracking will not receive an alert for this flaw through standard advisory channels. The disclosure exists only through the researcher’s publication, and affected system operators must identify and apply mitigations manually.
Researcher Çağrı Eser recommended three interim mitigations: modifying PolicyKit settings to require authentication before allowing pardus-update‘s privileged operations; sanitizing APT source handling in SystemSettingsWrite.py to filter carriage returns in addition to newlines; and adding path validation to AutoAptUpgrade.py to reject attacker-supplied file paths that target sensitive system directories.
For Turkish government institutions deploying Pardus, any system with local user login access — shared workstations, university lab machines, administrative terminals — represents a potential escalation path until TÜBİTAK issues a patched release. The 9.3 CVSS score reflects the low complexity of exploitation combined with the high impact of full root access on systems that handle government administrative functions.
