A recently discovered vulnerability in PackageKit is considered critical, as it allows a local user to escalate privileges and gain root access. Red Hat’s recommended mitigation is to stop and mask the PackageKit service.
https://access.redhat.com/security/cve/cve-2026-41651
My question is whether completely removing the package would have any impact on servers (running without a GUI) Below are its dependencies:
PackageKit-glib
libappstream-glib
libsoup
libstemmer
I have servers that have none of the four installed (and some that have only some installed).
You can see what dnf rm PackageKit-glib would remove as dependency (if you would say yes).
On Rocky 9.x, I uninstalled gnome-software and PackageKit some time ago, but not the dependencies shown above. There’s difference between things that PackageKit depends on, and things that depend on PackageKit.
Here’s how it looked:
dnf remove gnome-software
Removing:
gnome-software x86_64 45.3-3.el9 @appstream 9.0 M
Removing unused dependencies:
composefs x86_64 1.0.5-1.el9 @appstream 190 k
flatpak-libs x86_64 1.12.9-3.el9_5 @appstream 1.3 M
ostree x86_64 2024.7-3.el9_5 @appstream 779 k
dnf remove PackageKit
Removing:
PackageKit x86_64 1.2.6-1.el9 @appstream 2.8 M
Removing dependent packages:
PackageKit-command-not-found x86_64 1.2.6-1.el9 @appstream 35 k
cockpit-packagekit noarch 323.1-1.el9_5 @appstream 825 k
Removing unused dependencies:
python3-psutil x86_64 5.8.0-12.el9 @AppStream 1.1 M
python3-tracer noarch 1.1-2.el9 @appstream 313 k
tracer-common noarch 1.1-2.el9 @appstream 34 k