A race condition vulnerability (CVE-2026-41651) in PackageKit allows arbitrary package installation as root via a local attack vector. This vulnerability has a CVSS 3.1 score of 8.8 (High). Affected versions are PackageKit 1.0.2 through 1.3.4, and the fix is provided in version 1.3.5.
Red Hat Product Errata RHSA-2026:11504 - Security Advisory Issued: 2026-04-29 Updated: 2026-04-29 RHSA-2026:11504 - Security Advisory Overview Updated Packages Synopsis Important: PackageKit security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for PackageKit is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architecture API. Security Fix(es): PackageKit: race condition vulnerability leads to arbitrary package installation as root (CVE-2026-41651) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for x86_64 9 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x Fixes BZ - 2460604 - CVE-2026-41651 PackageKit: race condition vulnerability leads to arbitrary package installation as root CVEs CVE-2026-41651 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM PackageKit-1.2.6-2.el9_7.src.rpm SHA-256: 491a94c97b3675bd55dc7aa1ca74fe1ca121d20e251aec23205e48369fdebd16 x86_64 PackageKit-1.2.6-2.el9_7.x86_64.rpm SHA-256: 8bf68777b7236e6acfa3aee32cfd8b26ade4ac2d1f86cbea3c9abb4fedcd564d PackageKit-command-not-found-1.2.6-2.el9_7.x86_64.rpm SHA-256: f2526b425aae0b82c98e6bce9fe208f67a0508c5095b210adfeb5e09b5b6f6cb PackageKit-command-not-found-debuginfo-1.2.6-2.el9_7.i686.rpm SHA-256: eeaed1ac0e1e71e51f16e3874642cf9feb80d9f7f530e8548ed1e99f1d62cec6 PackageKit-command-not-found-debuginfo-1.2.6-2.el9_7.x86_64.rpm SHA-256: c864fc15ed537851fe5e5ac837f93052c20f8bc2d0caaef1edc2da1a282c5805 PackageKit-debuginfo-1.2.6-2.el9_7.i686.rpm SHA-256: 08f4604168412f29ff107d02972eeba1bc87a2d2ada3d2d2f6f29f13705da490 PackageKit-debuginfo-1.2.6-2.el9_7.x86_64.rpm SHA-256: 2d9365c04ca456620d902d618176068100336b3ea3c4f7fddc8358ce0795059c PackageKit-debugsource-1.2.6-2.el9_7.i686.rpm SHA-256: 9d32672ff0e4e3c97bc2dd1882abaa7f7eec7d6e75f483d455ac5fe9fa7c2ac2 PackageKit-debugsource-1.2.6-2.el9_7.x86_64.rpm SHA-256: 0e5ffe735cd0ff0d47998f1d3990e2bf1300ff63ba97d245cdf8089a82eb5fd3 PackageKit-glib-1.2.6-2.el9_7.i686.rpm SHA-256: d100e77eea8af4d2fb71c838153ee3ba5c11082be2fb535fdc330369dcf72b36 PackageKit-glib-1.2.6-2.el9_7.x86_64.rpm SHA-256: e64ccf99da378f5211e7c214f1987afab96e1a967d5bba08b2e6f572c6f575bc PackageKit-glib-debuginfo-1.2.6-2.el9_7.i686.rpm SHA-256: 84e6817277ea4a1e95d3007eba8f1ac90698ad77a4d546ab85cf5b4ad363ba9b PackageKit-glib-debuginfo-1.2.6-2.el9_7.x86_64.rpm SHA-256: 1dde557fb31f5de06e72df6f2be5df467225d6206f1fe693c9ee1279a7cbb76b PackageKit-gstreamer-plugin-1.2.6-2.el9_7.x86_64.rpm SHA-256: 4b05b516c6439d5b68c0ffdb4f3fb9c046945a358467502a754f0cdd2710f46c PackageKit-gstreamer-plugin-debuginfo-1.2.6-2.el9_7.i686.rpm SHA-256: 8f8af4aae8048743f2a00a060b117cd1fab9610b30e3ff26c71ef60911cfaebf PackageKit-gstreamer-plugin-debuginfo-1.2.6-2.el9_7.x86_64.rpm SHA-256: fbf1d8f4161dc49480e461c431d1489dba667047099522da52c784eff34f42e3 PackageKit-gtk3-module-1.2.6-2.el9_7.x86_64.rpm SHA-256: f503bfc1f56970c7dd7ffe80685a8a65daaeb0fa3996945aa0ae9095e1d386fd PackageKit-gtk3-module-debuginfo-1.2.6-2.el9_7.i686.rpm SHA-256: a2b98e85a66285ef79bf9e1f28989bf3be0e93ac98c74c8af9f5154a936b43bc PackageKit-gtk3-module-debuginfo-1.2.6-2.el9_7.x86_64.rpm SHA-256: ca2ef32e45839ed334742290d2a78d6148e2272c8e77ddbd92433e943bf13a0c Red Hat Enterprise Linux for IBM z Systems 9 SRPM PackageKit-1.2.6-2.el9_7.src.rpm SHA-256: 491a94c97b3675bd55dc7aa1ca74fe1ca121d20e251aec23205e48369fdebd16 s390x PackageKit-1.2.6-2.el9_7.s390x.rpm SHA-256: 056a0dac9f46467da9199d307eb7529b9f7ddf732e1ccdd709c91eeef3630406 PackageKit-command-not-found-1.2.6-2.el9_7.s390x.rpm SHA-256: 6fbe7c2889d3134923e32b703ad021bda0c70954b5ee331a4a67c6a1629030a3 PackageKit-command-not-found-debuginfo-1.2.6-2.el9_7.s390x.rpm SHA-256: 33a9aa5e76d236096ea5e6955718af1555738a3608377911d28820061de2217c PackageKit-debuginfo-1.2.6-2.el9_7.s390x.rpm SHA-256: e3617c4905c9a85cad3133cfc4bed43050757973ee9dbdf2201ca74071fec0df PackageKit-debugsource-1.2.6-2.el9_7.s390x.rpm SHA-256: fcac0095d4cc586014534e1bf8390edfaf06537946f1128e405a21da20f11fe0 PackageKit-glib-1.2.6-2.el9_7.s390x.rpm SHA-256: 0b1f1043ba4af62b8bdfd1efc8ed209b5af6a92234812eaa40ee694d332e648f PackageKit-glib-debuginfo-1.2.6-2.el9_7.s390x.rpm SHA-256: 379e3000f3ac23af30b3cd9ddb76cdbd40301cecd590bb44367b460cc06bfa23 PackageKit-gstreamer-plugin-debuginfo-1.2.6-2.el9_7.s390x.rpm SHA-256: e64f2b4f666a02992735cd805fa103bc5a4b735195b1593867c908bfd629e87c PackageKit-gtk3-module-1.2.6-2.el9_7.s390x.rpm SHA-256: e22a805bb68a96578bdd8188f333eb50511ae2b1b0d3bc38675082547e3daf55 PackageKit-gtk3-module-debuginfo-1.2.6-2.el9_7.s390x.rpm SHA-256: 20ffdb69dc774bb4c41817987eb29758bf2306be91f9fdbab49d13b365f026b8 Red Hat Enterprise Linux for Power, little endian 9 SRPM PackageKit-1.2.6-2.el9_7.src.rpm SHA-256: 491a94c97b3675bd55dc7aa1ca74fe1ca121d20e251aec23205e48369fdebd16 ppc64le PackageKit-1.2.6-2.el9_7.ppc64le.rpm SHA-256: d187202b09826fc200af99d603b9c02738727c564a6939b6c83c3a320aeace57 PackageKit-command-not-found-1.2.6-2.el9_7.ppc64le.rpm SHA-256: aafcbac9d7be0fadcc62e755060cc8dfc8a332dd6dba7f396f1011b69a0b7120 PackageKit-command-not-found-debuginfo-1.2.6-2.el9_7.ppc64le.rpm SHA-256: b5aa688042f0f815d124bcebcb531b2760cb79fb438436fe1aa97f9ed493baf4 PackageKit-debuginfo-1.2.6-2.el9_7.ppc64le.rpm SHA-256: 10fdb4bebf77561303cf3b742d377f2341d8ada57bf44a7e0fd2128b6b13eb78 PackageKit-debugsource-1.2.6-2.el9_7.ppc64le.rpm SHA-256: cad5513a8c64b392a82a5a07765a5c660bba866a8083b85ff6767383263c4bc1 PackageKit-glib-1.2.6-2.el9_7.ppc64le.rpm SHA-256: 3fab10a37f166c492b5f76be4baf6b544ef0f12e06e9f39a7552c7426308098a PackageKit-glib-debuginfo-1.2.6-2.el9_7.ppc64le.rpm SHA-256: 64be8e8e54c413868eaaebaccb1e5836c2dc983b2753f98a3528f9be0cc20702 PackageKit-gstreamer-plugin-1.2.6-2.el9_7.ppc64le.rpm SHA-256: af14ff541c92345d6b8e8665482d6ade9461feeaf83d22097adb0255b40f7ff2 PackageKit-gstreamer-plugin-debuginfo-1.2.6-2.el9_7.ppc64le.rpm SHA-256: c1fcf13926a919ab0f4b8d529218b281be5df9585fae90184a68ef7f072f07d7 PackageKit-gtk3-module-1.2.6-2.el9_7.ppc64le.rpm SHA-256: de93953d0db100204e99d2bbcd118ba5b48db894a9e2f6e6a3287a9c9dc4a97b PackageKit-gtk3-module-debuginfo-1.2.6-2.el9_7.ppc64le.rpm SHA-256: 3f6e558cbb51c5e93fba89da96e1cb326959abd07ffcd4d0a4f16870c702b978 Red Hat Enterprise Linux for ARM 64 9 SRPM PackageKit-1.2.6-2.el9_7.src.rpm SHA-256: 491a94c97b3675bd55dc7aa1ca74fe1ca121d20e251aec23205e48369fdebd16 aarch64 PackageKit-1.2.6-2.el9_7.aarch64.rpm SHA-256: 403404e35ce73a9ce1d2c5c7cdb69b2ae3fd5f9ee5fc9f89fa71a28475f6fe7c PackageKit-command-not-found-1.2.6-2.el9_7.aarch64.rpm SHA-256: 349c5c92731028183d324f9c6de895eb6179c6cfe0112692ba7f3b5f5f4868fc PackageKit-command-not-found-debuginfo-1.2.6-2.el9_7.aarch64.rpm SHA-256: 3a25815122c5344ee8693d2b9c456036a444818c2fe981ec3ae5596545a9b097 PackageKit-debuginfo-1.2.6-2.el9_7.aarch64.rpm SHA-256: b7e36faa04b95b922542ec36e224a67eea16404ed84af8eea2a519cbc82938d5 PackageKit-debugsource-1.2.6-2.el9_7.aarch64.rpm SHA-256: 618d269aeee7a1f5d80096f8f43604c8ce8785e7fa8d36b7779edd45e67a8cdc PackageKit-glib-1.2.6-2.el9_7.aarch64.rpm SHA-256: e72355ca6c6277de0bf174bdbe9484e4afb93eb63e58fccf0a9f54c8bf3cab99 PackageKit-glib-debuginfo-1.2.6-2.el9_7.aarch64.rpm SHA-256: 3db203244dda8566855da22edd8ee0d3f831902731a229d7062534f62d88fa76 PackageKit-gstreamer-plugin-1.2.6-2.el9_7.aarch64.rpm SHA-256: b75dff20f2f5acc29fe49e3e399f754f4bb13b6a1b9af7417f901eea891df03c PackageKit-gstreamer-plugin-debuginfo-1.2.6-2.el9_7.aarch64.rpm SHA-256: 7271dd19efa76b4a70097aa72617bbe6ffa43085e60491cba0b1c0b65417cc12 PackageKit-gtk3-module-1.2.6-2.el9_7.aarch64.rpm SHA-256: 0fada953ba94ddfe6ce04ecd348d357e25ee235ab61cbaec87d58fb1d2d082f7 PackageKit-gtk3-module-debuginfo-1.2.6-2.el9_7.aarch64.rpm SHA-256: 3f542370d6b2066fc4e61931848db7685c8338f56c6191df0a7270ad3988a945 Red Hat CodeReady Linux Builder for x86_64 9 SRPM x86_64 PackageKit-command-not-found-debuginfo-1.2.6-2.el9_7.i686.rpm SHA-256: eeaed1ac0e1e71e51f16e3874642cf9feb80d9f7f530e8548ed1e99f1d62cec6 PackageKit-command-not-found-debuginfo-1.2.6-2.el9_7.x86_64.rpm SHA-256: c864fc15ed537851fe5e5ac837f93052c20f8bc2d0caaef1edc2da1a282c5805 PackageKit-debuginfo-1.2.6-2.el9_7.i686.rpm SHA-256: 08f4604168412f29ff107d02972eeba1bc87a2d2ada3d2d2f6f29f13705da490 PackageKit-debuginfo-1.2.6-2.el9_7.x86_64.rpm SHA-256: 2d9365c04ca456620d902d618176068100336b3ea3c4f7fddc8358ce0795059c PackageKit-debugsource-1.2.6-2.el9_7.i686.rpm SHA-256: 9d32672ff0e4e3c97bc2dd1882abaa7f7eec7d6e75f483d455ac5fe9fa7c2ac2 PackageKit-debugsource-1.2.6-2.el9_7.x86_64.rpm SHA-256: 0e5ffe735cd0ff0d47998f1d3990e2bf1300ff63ba97d245cdf8089a82eb5fd3 PackageKit-glib-debuginfo-1.2.6-2.el9_7.i686.rpm SHA-256: 84e6817277ea4a1e95d3007eba8f1ac90698ad77a4d546ab85cf5b4ad363ba9b PackageKit-glib-debuginf