📖 ~4 min read • Source: Red Hat advisory RHSA RHSA-2026:19128
Related CVEs: CVE-2026-25679 CVE-2025-61726
Table of contents
Symptom & Impact
On Red Hat Enterprise Linux 10 hosts that have yggdrasil-worker-package-manager installed, operators report behaviour consistent with Red Hat advisory RHSA RHSA-2026:19128: dnf refuses to install or restart affected services, SELinux AVC denials appear in /var/log/audit/audit.log, and — for security-rated advisories — the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever yggdrasil-worker-package-manager sits on the serving path.
Environment & Reproduction
Reproduction targets Red Hat Enterprise Linux 10. Confirm release and the installed package:
cat /etc/redhat-release
cat /etc/os-release
sudo subscription-manager status
sudo subscription-manager repos --list-enabled
rpm -q yggdrasil-worker-package-manager
dnf info yggdrasil-worker-package-manager | head -20Trigger the workflow that exposes yggdrasil-worker-package-manager — multiple vulnerabilities (2 CVEs) — patch and remediation guide while collecting:
sudo journalctl -u yggdrasil-worker-package-manager -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/dnf.log
sudo tail -200 /var/log/audit/audit.log
# For an evidence bundle bundle with sosreport:
sudo sosreport --batchRoot Cause Analysis
Root cause is documented in Red Hat advisory RHSA RHSA-2026:19128. Red Hat maintainers shipped fixes in the corresponding yggdrasil-worker-package-manager update for Red Hat Enterprise Linux 10; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate dnf history with system logs:
sudo dnf history | head
sudo dnf history list yggdrasil-worker-package-manager
sudo dnf history info <id>
sudo ausearch -m AVC,USER_AVC -ts today | tail -100
cat /proc/sys/kernel/tainted # non-zero = tainted kernel / out-of-tree modulesQuick Triage
Run these on Red Hat Enterprise Linux 10 to capture the current state of yggdrasil-worker-package-manager:
rpm -q yggdrasil-worker-package-manager # installed NVR
rpm -V yggdrasil-worker-package-manager # verify shipped files
sudo dnf check-update --security
sudo dnf updateinfo list cves
systemctl --failed --no-pager
sudo firewall-cmd --list-all
getenforce && sestatus
# If yggdrasil-worker-package-manager ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i yggdrasil | headStep-by-Step Diagnosis
-
List failed systemd units.
systemctl --failed --no-pager -
Tail the journal for
yggdrasil-worker-package-managerand the system bus.sudo journalctl -u yggdrasil-worker-package-manager -f --no-pager sudo journalctl -xe -f --no-pager -
Inspect firewall posture.
sudo firewall-cmd --list-all-zones --permanent sudo nft list ruleset 2>/dev/null | head -50 -
Surface SELinux denials and author a local policy module if needed.
sudo ausearch -m AVC,USER_AVC -ts today sudo ausearch -m AVC -ts today | audit2allow -a -M /tmp/local-fix sudo semodule -i /tmp/local-fix.pp -
Verify
yggdrasil-worker-package-managerintegrity and reinstall if anything is altered.sudo rpm -V yggdrasil-worker-package-manager sudo dnf reinstall yggdrasil-worker-package-manager -
Correlate findings with
/var/log/dnf.log,dnf history, and Red Hat advisory RHSA RHSA-2026:19128 to pin the change that introduced yggdrasil-worker-package-manager — multiple vulnerabilities (2 CVEs) — patch and remediation guide.
Solution – Primary Fix
Apply the corrective dnf transaction referenced by Red Hat advisory RHSA RHSA-2026:19128, then reload affected systemd units:
sudo dnf -y makecache
sudo dnf -y upgrade --security # apply ALL security errata (recommended)
# Or target a single package:
sudo dnf -y upgrade yggdrasil-worker-package-manager
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i yggdrasil | head
sudo systemctl restart yggdrasil-worker-package-manager
rpm -q yggdrasil-worker-package-manager # confirm new NVR
systemctl is-active yggdrasil-worker-package-manager 2>/dev/null # confirm running (if a unit exists)For kernel / glibc / systemd / openssl advisories a reboot is required (or kpatch where licensed):
sudo needs-restarting -r # report whether reboot needed
sudo systemctl reboot # or: sudo shutdown -r now
# kpatch (Red Hat / Oracle) avoids reboot for many kernel CVEs:
sudo dnf install -y kpatch kpatch-dnf
sudo dnf kpatch auto # enable auto-patching
sudo kpatch listNeed help rolling this patch across a Red Hat Enterprise Linux fleet? Our IT Solutions & Services team manages RHEL patch windows with Red Hat Satellite / Insights / kpatch. Get in touch for a free consultation.
Solution – Alternative Approaches
If the primary patch is not viable, choose from these:
-
Roll back the offending dnf transaction:
sudo dnf history list | head sudo dnf history info <id> sudo dnf history undo <id> -
Version-lock the package so dnf cannot upgrade it:
sudo dnf install -y python3-dnf-plugin-versionlock sudo dnf versionlock add yggdrasil-worker-package-manager sudo dnf versionlock list sudo dnf versionlock delete yggdrasil-worker-package-manager # remove the lock -
Install an older NVR if a regression is suspected:
dnf --showduplicates list yggdrasil-worker-package-manager | tac | head sudo dnf install -y --allowerasing yggdrasil-worker-package-manager-<older-NVR> -
Switch SELinux to permissive briefly to confirm policy is the cause, then re-enforce:
sudo setenforce 0 # reproduce, capture denials, author a custom module: sudo ausearch -m AVC -ts recent | audit2allow -a -M mylocal sudo semodule -i mylocal.pp sudo setenforce 1 -
Take an LVM snapshot before kernel / glibc upgrades for fast rollback:
sudo lvs sudo lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv> # revert later via: sudo lvconvert --merge /dev/<vg>/preupgrade && sudo systemctl reboot -
Where kpatch is licensed, apply kernel fixes without reboot:
sudo kpatch list sudo kpatch load /usr/lib/modules/$(uname -r)/extra/kpatch/*.ko
Verification & Acceptance Criteria
All of these should pass after the fix:
rpm -q yggdrasil-worker-package-manager # expected fixed NVR
sudo dnf updateinfo list cves --installed # CVEs above no longer listed
systemctl is-active yggdrasil-worker-package-manager 2>/dev/null
sudo journalctl -u yggdrasil-worker-package-manager --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
getenforce
sudo needs-restarting -rThe original reproduction for yggdrasil-worker-package-manager — multiple vulnerabilities (2 CVEs) — patch and remediation guide must not trigger across two consecutive runs.
Rollback Plan
Capture state before any change:
rpm -qa > /root/rpm-pre.txt
sudo dnf history list > /root/dnf-history-pre.txt
# Optional LVM snapshot of the root LV:
sudo lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv>To revert if the patch is bad:
sudo dnf history undo <id>
# Or downgrade just the package:
sudo dnf install -y --allowerasing yggdrasil-worker-package-manager-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart yggdrasil-worker-package-manager
# Or merge the LVM snapshot and reboot:
sudo lvconvert --merge /dev/<vg>/preupgrade && sudo systemctl reboot
# Custom SELinux policy cleanup:
sudo semodule -r mylocalPrevention & Hardening
Reduce the chance of this recurring on Red Hat Enterprise Linux 10:
-
Enable automatic security patching:
sudo dnf install -y dnf-automatic sudo sed -i 's/^upgrade_type.*/upgrade_type = security/' /etc/dnf/automatic.conf sudo sed -i 's/^apply_updates.*/apply_updates = yes/' /etc/dnf/automatic.conf sudo systemctl enable --now dnf-automatic.timer -
Register the host with Red Hat Insights and the Remote Host Configuration daemon:
sudo insights-client --register sudo insights-client --check-results sudo dnf install -y rhc && sudo rhc connect -
Watch Red Hat Product Security advisories and the Red Hat Security Data feeds for upstream changes.
-
Mirror through Red Hat Satellite / Capsule for controlled rollouts:
sudo dnf install -y dnf-utils createrepo_c sudo reposync --download-metadata --downloadcomps -p /srv/mirror -- repoid=baseos sudo createrepo_c /srv/mirror/baseos -
Version-lock sensitive packages so they cannot be auto-upgraded:
sudo dnf install -y python3-dnf-plugin-versionlock sudo dnf versionlock add yggdrasil-worker-package-manager -
Monitor file integrity with AIDE:
sudo dnf install -y aide sudo aide --init && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz sudo aide --check -
Enable kpatch so kernel CVEs can be remediated without reboot:
sudo dnf install -y kpatch kpatch-dnf sudo dnf kpatch auto sudo kpatch list -
Keep SELinux in enforcing mode and review custom modules in
/etc/selinux/targeted/after every package upgrade. -
Apply CIS Red Hat Enterprise Linux 10 Benchmark hardening and remove unused packages.
Related Errors & Cross-Refs
Issues that commonly surface alongside yggdrasil-worker-package-manager — multiple vulnerabilities (2 CVEs) — patch and remediation guide: dnf lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags. Useful triage:
sudo dnf check
systemd-analyze critical-chain
sudo ausearch -m AVC -ts today | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted
sudo needs-restarting -rView all rhel-10 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: Red Hat advisory RHSA RHSA-2026:19128. Manual pages useful on Red Hat Enterprise Linux 10:
man dnf
man dnf.conf
man systemctl
man journalctl
man firewall-cmd
man semanage
man audit2allow
man kpatch
man sosreportOther resources: Red Hat Enterprise Linux documentation, Red Hat CVE database, Red Hat product errata, and per-package notes in /usr/share/doc/yggdrasil-worker-package-manager/ for components implicated in yggdrasil-worker-package-manager — multiple vulnerabilities (2 CVEs) — patch and remediation guide.
