0.120 or later.# Debian/Ubuntu
sudo apt update && sudo apt upgrade policykit-1
Look for:
Report Date: 2026-04-19
Vulnerability Discovered: 2021 (Public Disclosure: January 25, 2022)
Exploit Name: BAGET (also known as PwnKit, pkexec LPE)
Affected Component: pkexec – part of PolicyKit (Polkit)
CVSS Score: 7.8 (High) – AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Process creation chain:
unpriv_user → pkexec → /bin/sh -c "arbitrary command"