A race condition vulnerability (CVE-2026-41651, CVSS 8.8 HIGH) in PackageKit allows for arbitrary package installation as root. The vulnerability affects PackageKit versions from 1.0.2 up to, but not including, 1.3.5, and is fixed in version 1.3.5.
Red Hat Product Errata RHSA-2026:22146 - Security Advisory Issued: 2026-06-01 Updated: 2026-06-01 RHSA-2026:22146 - Security Advisory Overview Updated Packages Synopsis Important: PackageKit security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for PackageKit is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architecture API. Security Fix(es): PackageKit: race condition vulnerability leads to arbitrary package installation as root (CVE-2026-41651) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64 Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le Fixes BZ - 2460604 - CVE-2026-41651 PackageKit: race condition vulnerability leads to arbitrary package installation as root CVEs CVE-2026-41651 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 SRPM PackageKit-1.1.10-2.el7_9.1.src.rpm SHA-256: 0c7cf2fa7091e8b19efc48203e419aefd0b58eb4dd6bf6f3c684765b9b6cc3bf x86_64 PackageKit-1.1.10-2.el7_9.1.i686.rpm SHA-256: 2b27adb69d68e78632d6d256b54557bab1264d2f7ad1528dc1b6bf0da6639dad PackageKit-1.1.10-2.el7_9.1.x86_64.rpm SHA-256: 4de9a620b103924c68481228cb493d640a38132f29f9da8de58d9d952ebfe94d PackageKit-command-not-found-1.1.10-2.el7_9.1.x86_64.rpm SHA-256: f52f4fd034d3e49c3db76ab40e5cf474182ddb083e61339f9c253c08a603de42 PackageKit-cron-1.1.10-2.el7_9.1.x86_64.rpm SHA-256: 94a268b343b7a166091bf8c94fd6ecd17ba829a53bd6c4d484791a696302e0c7 PackageKit-debuginfo-1.1.10-2.el7_9.1.i686.rpm SHA-256: 8d46e83dc7b2bca8c2c8dcb6fd1865e6f92bd1819a4b2e0025827d3dbfedd901 PackageKit-debuginfo-1.1.10-2.el7_9.1.i686.rpm SHA-256: 8d46e83dc7b2bca8c2c8dcb6fd1865e6f92bd1819a4b2e0025827d3dbfedd901 PackageKit-debuginfo-1.1.10-2.el7_9.1.x86_64.rpm SHA-256: 670a6cfcf47bbb7445f221b96fdedf562e3c7346ea104a2f5777a6d312357582 PackageKit-debuginfo-1.1.10-2.el7_9.1.x86_64.rpm SHA-256: 670a6cfcf47bbb7445f221b96fdedf562e3c7346ea104a2f5777a6d312357582 PackageKit-glib-1.1.10-2.el7_9.1.i686.rpm SHA-256: f643667cbeb496c99576a5dbc6fbb04d267ffcc7074fca5bfc344210c2c59e89 PackageKit-glib-1.1.10-2.el7_9.1.x86_64.rpm SHA-256: 018c07b24771ff72d225cd9398bacf677720642e85adcf6adcd951bbbd209227 PackageKit-glib-devel-1.1.10-2.el7_9.1.i686.rpm SHA-256: 9a575332916ebc26fb8dbbb81bbca1943c2a3f0e1f264c6386b6520bec3853ee PackageKit-glib-devel-1.1.10-2.el7_9.1.x86_64.rpm SHA-256: 166b5f4f874db0366cafaea6a64612f1265c8dd149035e1740d86572b1717b4c PackageKit-gstreamer-plugin-1.1.10-2.el7_9.1.x86_64.rpm SHA-256: 7d27684a49ba130cae549917aac1d43fd49dd0f0740dac75055e22c1760cdab1 PackageKit-gtk3-module-1.1.10-2.el7_9.1.i686.rpm SHA-256: fa95ca3c2fd612ca0bd551b0a0ff61abf20896402ccde5fdba90c2eb8d019226 PackageKit-gtk3-module-1.1.10-2.el7_9.1.x86_64.rpm SHA-256: 5e06db8afebbf7667c509ca379f24081b5633d7ca2c058c64f4a0dd1e1b6bf98 PackageKit-yum-1.1.10-2.el7_9.1.x86_64.rpm SHA-256: 2efc810abe5f458f54ecf587ee5cedcee77bc1469f4247b1bbd8bedaaedac467 PackageKit-yum-plugin-1.1.10-2.el7_9.1.x86_64.rpm SHA-256: 19c5264b0cd511ea00a16fce6338524ccec421799725171dfb9168cf2425ffb8 Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 SRPM PackageKit-1.1.10-2.el7_9.1.src.rpm SHA-256: 0c7cf2fa7091e8b19efc48203e419aefd0b58eb4dd6bf6f3c684765b9b6cc3bf s390x PackageKit-1.1.10-2.el7_9.1.s390.rpm SHA-256: 9376a0485c1952300de8b37ac7f0d3bb3d404e968e743293d561488264b22a69 PackageKit-1.1.10-2.el7_9.1.s390x.rpm SHA-256: 3a238c36d85d4a510cdf927b13253ef373d98f193902bbcb2a8d5ac3a58ec51d PackageKit-command-not-found-1.1.10-2.el7_9.1.s390x.rpm SHA-256: 4655349f6d0f8063b23c12b9af99ff41786af631a623c44860eae1a51bc4bf8c PackageKit-cron-1.1.10-2.el7_9.1.s390x.rpm SHA-256: c21bde9d9ffd1fccd339d6f9de950fe4d0c5acd1adc4d0ac7b7a0e677411210d PackageKit-debuginfo-1.1.10-2.el7_9.1.s390.rpm SHA-256: f0ccacf9d34d845f95572b10bc7d145060704b5edb29ab62bdff9830408d01c1 PackageKit-debuginfo-1.1.10-2.el7_9.1.s390.rpm SHA-256: f0ccacf9d34d845f95572b10bc7d145060704b5edb29ab62bdff9830408d01c1 PackageKit-debuginfo-1.1.10-2.el7_9.1.s390x.rpm SHA-256: ea3abb6ea3e837c44dc0638cff4f903e25ea0301d6310cd80661b3e8b63d620b PackageKit-debuginfo-1.1.10-2.el7_9.1.s390x.rpm SHA-256: ea3abb6ea3e837c44dc0638cff4f903e25ea0301d6310cd80661b3e8b63d620b PackageKit-glib-1.1.10-2.el7_9.1.s390.rpm SHA-256: 30bbf6b556616272c8f8e0e4892865f53aa00e1a2f28099d5ad018923491ff97 PackageKit-glib-1.1.10-2.el7_9.1.s390x.rpm SHA-256: 68cd90de981c31d993909b36e445c2fef6e76f039460b68475c4d9773bd95e84 PackageKit-glib-devel-1.1.10-2.el7_9.1.s390.rpm SHA-256: eefd4a9bab75c4ad0a7ab39f816789221780286c3c6419d518f11a91d64a781b PackageKit-glib-devel-1.1.10-2.el7_9.1.s390x.rpm SHA-256: 9d239325ac76f5c511c5013b705296e63816828115655ea6159623ced9636969 PackageKit-gstreamer-plugin-1.1.10-2.el7_9.1.s390x.rpm SHA-256: fc0a0201bd9a2c8071cc0e7874d2669018c4246345a7c09b29fb03b9ef14f990 PackageKit-gtk3-module-1.1.10-2.el7_9.1.s390.rpm SHA-256: 2e3f5fc070390eed8396a3d36021c180f2fa77cbce34e7faaec9defeba69aeba PackageKit-gtk3-module-1.1.10-2.el7_9.1.s390x.rpm SHA-256: f2febcb76de25a3d466e07877633d2ed2a028e1c78529585eb9dc6bf83a6f99f PackageKit-yum-1.1.10-2.el7_9.1.s390x.rpm SHA-256: fd29cb7e7b8581df2754d1d06d86facaa435397d6180520cc652d71e9f7673e7 PackageKit-yum-plugin-1.1.10-2.el7_9.1.s390x.rpm SHA-256: 76cc7f545c5acfe656cd0045a72881e1a035c8f101cda81c73fbc93e06af7109 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 SRPM PackageKit-1.1.10-2.el7_9.1.src.rpm SHA-256: 0c7cf2fa7091e8b19efc48203e419aefd0b58eb4dd6bf6f3c684765b9b6cc3bf ppc64 PackageKit-1.1.10-2.el7_9.1.ppc.rpm SHA-256: 33eec70c23f2a4f88df5031cb0c1d1fce1c7d2589e3c9af363ff2aafc6e35f97 PackageKit-1.1.10-2.el7_9.1.ppc64.rpm SHA-256: b9525f797d5057486dae3c63f9022f42c02483cfe495dc64d745f29ffe9cf998 PackageKit-command-not-found-1.1.10-2.el7_9.1.ppc64.rpm SHA-256: 320f8c9e095a6cfbf1fa42bfc4cfc0e9606d5dfb84ae0e24cfbd4def186c5fb5 PackageKit-cron-1.1.10-2.el7_9.1.ppc64.rpm SHA-256: 34e21d33d924e82c541105849727ccc5841fe5e3d3089126381ce6977618dd0b PackageKit-debuginfo-1.1.10-2.el7_9.1.ppc.rpm SHA-256: 4504f08478ad2c6a2cec883e9254b888335de46aed5a4d67664b7967303493bc PackageKit-debuginfo-1.1.10-2.el7_9.1.ppc.rpm SHA-256: 4504f08478ad2c6a2cec883e9254b888335de46aed5a4d67664b7967303493bc PackageKit-debuginfo-1.1.10-2.el7_9.1.ppc64.rpm SHA-256: e07daaf3680aed2b5234f6b4db4e3286d9ac05173fed5310edf703372f7b1ca0 PackageKit-debuginfo-1.1.10-2.el7_9.1.ppc64.rpm SHA-256: e07daaf3680aed2b5234f6b4db4e3286d9ac05173fed5310edf703372f7b1ca0 PackageKit-glib-1.1.10-2.el7_9.1.ppc.rpm SHA-256: 35b01be288d1e62b88b416c1a731efaad6aaabbec908a96a69d86c12c3b68117 PackageKit-glib-1.1.10-2.el7_9.1.ppc64.rpm SHA-256: 70c0822d6312ff5070dfe1c92a8fdfee26ef9caf1a5ce2832ea83675d65dfc94 PackageKit-glib-devel-1.1.10-2.el7_9.1.ppc.rpm SHA-256: a8871c5a7d1405a3b855e6f17abc5158656ce49336f7ef6d79668da002fab83a PackageKit-glib-devel-1.1.10-2.el7_9.1.ppc64.rpm SHA-256: 7e8d16d5a0b513f054dbfbd7aa3f7e75acceb71abd6b53357e875659cd1f6ae4 PackageKit-gstreamer-plugin-1.1.10-2.el7_9.1.ppc64.rpm SHA-256: 98007bf1a3bfae534cc6ab42a7543b2b58e307905fba220dfd7c48be4cefb53b PackageKit-gtk3-module-1.1.10-2.el7_9.1.ppc.rpm SHA-256: 537035c4fb921e737e9865189bca2464b9d9fc83f1b705bc54550ddcd746e76d PackageKit-gtk3-module-1.1.10-2.el7_9.1.ppc64.rpm SHA-256: 3b25dada5c8cfac9fe8cc69ca6bca374e22b43a2ccadd200a60bddd52eceea9d PackageKit-yum-1.1.10-2.el7_9.1.ppc64.rpm SHA-256: 7957ba8cedb23c77d4a875d5d4bab6ec3de7ea48acd88a22da93182257b9a6fa PackageKit-yum-plugin-1.1.10-2.el7_9.1.ppc64.rpm SHA-256: 8ee913c8265c09692901d1bccfbc49c24d22cd8393cf7ca6fbfec2203163a10f Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 SRPM PackageKit-1.1.10-2.el7_9.1.src.rpm SHA-256: 0c7cf2fa7091e8b19efc48203e419aefd0b58eb4dd6bf6f3c684765b9b6cc3bf ppc64le PackageKit-1.1.10-2.el7_9.1.ppc64le.rpm SHA-256: e85799ec1d2c1e49817d4da137723223dce6c77c479a15ac3beafa9ebbd6601f PackageKit-command-not-found-1.1.10-2.el7_9.1.ppc64le.rpm SHA-256: 940a18b0adaefbc6e53bc37bbf259ab776c8dbfcf0884e3a8d3b0642af349f13 PackageKit-cron-1.1.10-2.el7_9.1.ppc64le.rpm SHA-256: 848a984af64c55b2ce236191bcb1329157faa1067b93f6a5fa3e3f05ba432e3e PackageKit-debuginfo-1.1.10-2.el7_9.1.ppc64le.rpm SHA-256: b09e2b36d1ac5f71380c0fdc154793a6b720c0177274f2cdf42ceab4a938c8bd PackageKit-debuginfo-1.1.10-2.el7_9.1.ppc64le.rpm SHA-256: b09e2b36d1ac5f71380c0fdc154793a6b720c0177274f2cdf42ceab4a938c8bd PackageKit-glib-1.1.10-2.el7_9.1.ppc64le.rpm SHA-256: 3c3e66d2cc27db7885140ca9db5a548016c71a2098fd7f18d2bfffffcf21d626 PackageKit-glib-devel-1.1.10-2.el7_9.1.ppc64le.rpm SHA-256: ddd82b0c15a244e7b1f52b0af53937821c35ac54ccb6397526155967ebcaf224 PackageKit-gstreamer-plugin-1.1.10-2.el7_9.1.ppc64le.rpm SHA-256: 09c593215755ac363dca2fd96c