Medium severity5.4NVD Advisory· Published Feb 12, 2026· Updated Apr 15, 2026

CVE-2026-25828

Description

grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device(). NOTE: a third party reports "exploitation may not be feasible under normal conditions and may depend on specific implementation details within resolve_device."

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

archlinux.org/packages/extra/any/grub-btrfs/nvd
github.com/Antynea/grub-btrfs/tree/masternvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000