CVE-2026-25828 PUBLISHED

Assigner: mitre
Reserved: 06.02.2026 Published: 12.02.2026 Updated: 12.02.2026

grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device().

Product Status

Vendor	n/a
Product	n/a
Versions	Version n/a is affected

References

https://github.com/Antynea/grub-btrfs/tree/master
https://archlinux.org/packages/extra/any/grub-btrfs/
https://github.com/cardosource/CVE-2026-25828

Problem Types

n/a text