CVE-2026-25828

MEDIUM

grub-btrfs <2026-01-31 - Command Injection

Title source: llm

Description

grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device(). NOTE: a third party reports "exploitation may not be feasible under normal conditions and may depend on specific implementation details within resolve_device."

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25828

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by cardosource · poc

https://github.com/cardosource/CVE-2026-25828

View Code ZIP pw:eip

References (3)

[Various Sources] https://archlinux.org/packages/extra/any/grub-btrfs/

[Various Sources] https://github.com/Antynea/grub-btrfs/tree/master

[Various Sources] https://github.com/cardosource/CVE-2026-25828

Scores

CVSS v3 5.4

EPSS 0.0171

EPSS Percentile 82.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-78

Status draft

Timeline

Published Feb 12, 2026

Tracked Since Feb 18, 2026