🔔 Dear deepin users and community members,

deepin 25.1 is here! This update includes an emergency fix for the recently discovered “Pack2TheRoot” high-risk vulnerability, along with an optimization for the audio device loss issue that some recent upgraders have experienced. We strongly recommend that everyone update as soon as possible.

I. Update Details – April 23, 2026

• Fixed audio device loss on some systems.

• Removed some outdated intelligent mirror sources and resolved update failures caused by IP bans for certain users.

• Patched several known CVE security vulnerabilities (including the “Pack2TheRoot” high‑risk vulnerability) to improve system security.

Explanation of the Emergency Fix for the “Pack2TheRoot” High‑Risk Vulnerability

Security researchers from Deutsche Telekom’s Red Team recently discovered a Time‑of‑Check Time‑of‑Use (TOCTOU) vulnerability in PackageKit.

This vulnerability allows an unprivileged attacker to install or remove software packages without authorization, which may lead to root privilege escalation or other malicious operations.

Vulnerability IDs: CVE‑2026‑41651 / GHSA‑f55j‑vvr9‑69xv

Am I affected?

All users who have not updated deepin 25 are affected. We strongly recommend updating immediately.

Temporary mitigation

None available – this issue can only be resolved through a system update.

 

II. Fixed Version Information

deepin 25 has been patched in this update.

You can check your current version by running:

dpkg -l | grep -i packagekit

Unaffected (vulnerable) versions: 1.2.8-2deepin1 and lower
Fixed version: 1.2.8-2deepin2

 

III. Timeline

• 2026‑04‑22 18:56 – Upstream released version 1.3.5

• 2026‑04‑22 19:31 – Upstream announcement

• 2026‑04‑22 20:30 – deepin detected the vulnerability

• 2026‑04‑23 09:56 – Patch developed and integrated

• 2026‑04‑23 13:15 – Integration testing passed

• 2026‑04‑23 16:58 – Patch integrated and update pushed

References

• https://lists.freedesktop.org/archives/packagekit/2026-April/026513.html

• https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html

• https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv

• https://www.openwall.com/lists/oss-security/2026/04/22/6

• https://github.com/PackageKit/PackageKit/commit/76cfb675fb31acc3ad5595d4380bfff56d2a8697

That’s all for the deepin 25.1 official release. Once again, thank you for your support, dear deepin community!

deepin is a globally recognized open‑source operating system with an outstanding ranking on DistroWatch. We continuously iterate our vulnerability response to build a stable, trustworthy, and secure open‑source desktop ecosystem.

If you encounter any issues during the update or daily use, please feel free to reach out to us on the deepin community forum.