The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands
CVE Link
Exploit Platform
Exploit Type
Product Name