- What: Security update for PackageKit in Red Hat Enterprise Linux 10
- Impact: Systems using PackageKit may be vulnerable to a race condition leading to arbitrary package installation as root
Red Hat Product Errata RHSA-2026:19141 - Security Advisory Issued: 2026-05-19 Updated: 2026-05-19 RHSA-2026:19141 - Security Advisory Overview Updated Packages Synopsis Important: PackageKit security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for PackageKit is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architecture API. Security Fix(es): PackageKit: race condition vulnerability leads to arbitrary package installation as root (CVE-2026-41651) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2 aarch64 Red Hat CodeReady Linux Builder for x86_64 10 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le Red Hat CodeReady Linux Builder for ARM 64 10 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.2 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.2 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.2 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.2 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2 s390x Fixes BZ - 2460604 - CVE-2026-41651 PackageKit: race condition vulnerability leads to arbitrary package installation as root CVEs CVE-2026-41651 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM PackageKit-1.2.8-8.el10_2.src.rpm SHA-256: c11cff2b0623fbb5699606b1acf64a94e811e8456e1413aef804ac46f650f187 x86_64 PackageKit-1.2.8-8.el10_2.x86_64.rpm SHA-256: dad6c8f644508cdf8508a2dd1bb298862086ba5a499fae585a08c7b200a8e1aa PackageKit-command-not-found-1.2.8-8.el10_2.x86_64.rpm SHA-256: cf2dd61f8161b549c265fb5ade8280165b1f0356537c09281cdbb77e4cc752bd PackageKit-command-not-found-debuginfo-1.2.8-8.el10_2.x86_64.rpm SHA-256: 01005e310658576d2a03423f58d9143dc7110006e186e5e24b65a427e357f5d2 PackageKit-debuginfo-1.2.8-8.el10_2.x86_64.rpm SHA-256: 7ed943391bf4336080aae56f6b5a41b11a6c1fca87e3480016248ad322458f8b PackageKit-debugsource-1.2.8-8.el10_2.x86_64.rpm SHA-256: 62b6ca6f0d93fbb3380106d7bfa449762ce68707803f1eef1f615631a5501993 PackageKit-glib-1.2.8-8.el10_2.x86_64.rpm SHA-256: 782126dbfa020e8fee4282944219973433e0bc6df118d316af8a7c74a2288286 PackageKit-glib-debuginfo-1.2.8-8.el10_2.x86_64.rpm SHA-256: 547438f28e207d21f770397a2d43559354d888fcad15f7aa58881546f63e5d39 PackageKit-gstreamer-plugin-1.2.8-8.el10_2.x86_64.rpm SHA-256: e1969ad48e9092497ac08b10dd90093aaa217a90d19093124ac1d7fed8d0ec57 PackageKit-gstreamer-plugin-debuginfo-1.2.8-8.el10_2.x86_64.rpm SHA-256: 7043b18b2f84c46affc3e3fd7144a5d0d51d03a4f7757c5473c41b6d7707735f PackageKit-gtk3-module-1.2.8-8.el10_2.x86_64.rpm SHA-256: 145a6ba04228315a4efa3085f83c783689fa22f79b23107a71ad81659f6be51b PackageKit-gtk3-module-debuginfo-1.2.8-8.el10_2.x86_64.rpm SHA-256: b969a03277c3126d63ae756f651cd118b94c95defda22d9090b1ba91460b0321 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 SRPM PackageKit-1.2.8-8.el10_2.src.rpm SHA-256: c11cff2b0623fbb5699606b1acf64a94e811e8456e1413aef804ac46f650f187 x86_64 PackageKit-1.2.8-8.el10_2.x86_64.rpm SHA-256: dad6c8f644508cdf8508a2dd1bb298862086ba5a499fae585a08c7b200a8e1aa PackageKit-command-not-found-1.2.8-8.el10_2.x86_64.rpm SHA-256: cf2dd61f8161b549c265fb5ade8280165b1f0356537c09281cdbb77e4cc752bd PackageKit-command-not-found-debuginfo-1.2.8-8.el10_2.x86_64.rpm SHA-256: 01005e310658576d2a03423f58d9143dc7110006e186e5e24b65a427e357f5d2 PackageKit-debuginfo-1.2.8-8.el10_2.x86_64.rpm SHA-256: 7ed943391bf4336080aae56f6b5a41b11a6c1fca87e3480016248ad322458f8b PackageKit-debugsource-1.2.8-8.el10_2.x86_64.rpm SHA-256: 62b6ca6f0d93fbb3380106d7bfa449762ce68707803f1eef1f615631a5501993 PackageKit-glib-1.2.8-8.el10_2.x86_64.rpm SHA-256: 782126dbfa020e8fee4282944219973433e0bc6df118d316af8a7c74a2288286 PackageKit-glib-debuginfo-1.2.8-8.el10_2.x86_64.rpm SHA-256: 547438f28e207d21f770397a2d43559354d888fcad15f7aa58881546f63e5d39 PackageKit-gstreamer-plugin-1.2.8-8.el10_2.x86_64.rpm SHA-256: e1969ad48e9092497ac08b10dd90093aaa217a90d19093124ac1d7fed8d0ec57 PackageKit-gstreamer-plugin-debuginfo-1.2.8-8.el10_2.x86_64.rpm SHA-256: 7043b18b2f84c46affc3e3fd7144a5d0d51d03a4f7757c5473c41b6d7707735f PackageKit-gtk3-module-1.2.8-8.el10_2.x86_64.rpm SHA-256: 145a6ba04228315a4efa3085f83c783689fa22f79b23107a71ad81659f6be51b PackageKit-gtk3-module-debuginfo-1.2.8-8.el10_2.x86_64.rpm SHA-256: b969a03277c3126d63ae756f651cd118b94c95defda22d9090b1ba91460b0321 Red Hat Enterprise Linux for IBM z Systems 10 SRPM PackageKit-1.2.8-8.el10_2.src.rpm SHA-256: c11cff2b0623fbb5699606b1acf64a94e811e8456e1413aef804ac46f650f187 s390x PackageKit-1.2.8-8.el10_2.s390x.rpm SHA-256: 539c38324b7c878d316087b4878f4a8609d81d861d673e7665080364c3f25d8f PackageKit-command-not-found-1.2.8-8.el10_2.s390x.rpm SHA-256: 92866a9bda525305a2a81eda6d11c2487b0ee7a513e88947db74ba86fcce640c PackageKit-command-not-found-debuginfo-1.2.8-8.el10_2.s390x.rpm SHA-256: a2dd842063193645e4e87b281574365299081bbe0b4277a0d86187800274405c PackageKit-debuginfo-1.2.8-8.el10_2.s390x.rpm SHA-256: bb57bba10f0a6a613591f94b5e83f3900b739b419b4e82ee3ab1373c16019575 PackageKit-debugsource-1.2.8-8.el10_2.s390x.rpm SHA-256: 144af4c8b53ea12391dd1e6dccdde12e1245c1b8d3a1fae06adb0350f47c1e9c PackageKit-glib-1.2.8-8.el10_2.s390x.rpm SHA-256: 655ee6cc3e4f4f795a624a655844563a8b2f67e4698572606297c77de3870429 PackageKit-glib-debuginfo-1.2.8-8.el10_2.s390x.rpm SHA-256: 93dabc46930037b34fd074af37452688dceff38ee4bc80c98b2640d20a764195 PackageKit-gstreamer-plugin-debuginfo-1.2.8-8.el10_2.s390x.rpm SHA-256: 81aeb42ed286a465234545ed18d52baa7b6035da47e2d3e02f9263c6ae2673b7 PackageKit-gtk3-module-1.2.8-8.el10_2.s390x.rpm SHA-256: 6c996700ecf1b2e9b3e208a348ec3762fcba8faf15b23065531f4d794f80662e PackageKit-gtk3-module-debuginfo-1.2.8-8.el10_2.s390x.rpm SHA-256: 36ca5ec6e89f14361eb80725c335e9e33a2dbb469245ab133f0cf33bd21f25b3 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 SRPM PackageKit-1.2.8-8.el10_2.src.rpm SHA-256: c11cff2b0623fbb5699606b1acf64a94e811e8456e1413aef804ac46f650f187 s390x PackageKit-1.2.8-8.el10_2.s390x.rpm SHA-256: 539c38324b7c878d316087b4878f4a8609d81d861d673e7665080364c3f25d8f PackageKit-command-not-found-1.2.8-8.el10_2.s390x.rpm SHA-256: 92866a9bda525305a2a81eda6d11c2487b0ee7a513e88947db74ba86fcce640c PackageKit-command-not-found-debuginfo-1.2.8-8.el10_2.s390x.rpm SHA-256: a2dd842063193645e4e87b281574365299081bbe0b4277a0d86187800274405c PackageKit-debuginfo-1.2.8-8.el10_2.s390x.rpm SHA-256: bb57bba10f0a6a613591f94b5e83f3900b739b419b4e82ee3ab1373c16019575 PackageKit-debugsource-1.2.8-8.el10_2.s390x.rpm SHA-256: 144af4c8b53ea12391dd1e6dccdde12e1245c1b8d3a1fae06adb0350f47c1e9c PackageKit-glib-1.2.8-8.el10_2.s390x.rpm SHA-256: 655ee6cc3e4f4f795a624a655844563a8b2f67e4698572606297c77de3870429 PackageKit-glib-debuginfo-1.2.8-8.el10_2.s390x.rpm SHA-256: 93dabc46930037b34fd074af37452688dceff38ee4bc80c98b2640d20a764195 PackageKit-gstreamer-plugin-debuginfo-1.2.8-8.el10_2.s390x.rpm SHA-256: 81aeb42ed286a465234545ed18d52baa7b6035da47e2d3e02f9263c6ae2673b7 PackageKit-gtk3-module-1.2.8-8.el10_2.s390x.rpm SHA-256: 6c996700ecf1b2e9b3e208a348ec3762fcba8faf15b23065531f4d794f80662e PackageKit-gtk3-module-debuginfo-1.2.8-8.el10_2.s390x.rpm SHA-256: 36ca5ec6e89f14361eb80725c335e9e33a2dbb469245ab133f0cf33bd21f25b3 Red Hat Enterprise Linux for Power, little endian 10 SRPM PackageKit-1.2.8-8.el10_2.src.rpm SHA-256: c11cff2b0623fbb5699606b1acf64a94e811e8456e1413aef804ac46f650f187 ppc64le PackageKit-1.2.8-8.el10_2.ppc64le.rpm SHA-256: 023c4c0bac95d592fb4653dff0cd0765dc0b9be410e249a18964b8dae5cd5203 PackageKit-command-not-found-1.2.8-8.el10_2.ppc64le.rpm SHA-256: bef6e0997de90ef032e5ddd7e6b91df0c5fbaee9c6b01a799ad1b41292ee367d PackageKit-command-not-found-debuginfo-1.2.8-8.el10_2.ppc64le.rpm SHA-256: 380e4ea9cffcbe9b493c66d1e27d9a53f1a17db5c90eb9de44b8a5130a8b5128 PackageKit-debuginfo-1.2.8-8.el10_2.ppc64le.rpm SHA-256: 0ce254d415