CVE-2026-25828

Published February 12th, 2026

View on NVD ↗

CVSS v3

5.4

MEDIUM

CVSS v2

N/A

Affected

PROJECTS

Description

grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device(). NOTE: a third party reports "exploitation may not be feasible under normal conditions and may depend on specific implementation details within resolve_device."

Antynea/grub-btrfs

Include btrfs snapshots at boot options. (Grub menu)

GitHub

1.12K

cardosource/CVE-2026-25828UNAVAILABLE

Command Injection in grub-btrfs initramfs hook - CVE-2026-25828

GitHub