{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-25828", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-04T07:56:41.457Z", "dateReserved": "2026-02-06T00:00:00.000Z", "datePublished": "2026-02-12T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-04T07:56:41.457Z"}, "descriptions": [{"lang": "en", "value": "grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device(). NOTE: a third party reports \"exploitation may not be feasible under normal conditions and may depend on specific implementation details within resolve_device.\""}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Antynea/grub-btrfs/tree/master"}, {"url": "https://archlinux.org/packages/extra/any/grub-btrfs/"}, {"url": "https://github.com/cardosource/CVE-2026-25828"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}], "tags": ["disputed"]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T20:53:36.240723Z", "id": "CVE-2026-25828", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T20:54:07.450Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25828", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-13T20:53:36.240723Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T20:54:03.096Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Antynea/grub-btrfs/tree/master"}, {"url": "https://archlinux.org/packages/extra/any/grub-btrfs/"}, {"url": "https://github.com/cardosource/CVE-2026-25828"}], "descriptions": [{"lang": "en", "value": "grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device(). NOTE: a third party reports \"exploitation may not be feasible under normal conditions and may depend on specific implementation details within resolve_device.\""}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-04T07:56:41.457Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25828", "state": "PUBLISHED", "dateUpdated": "2026-03-04T07:56:41.457Z", "dateReserved": "2026-02-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-12T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device(). NOTE: a third party reports \"exploitation may not be feasible under normal conditions and may depend on specific implementation details within resolve_device.\""}, {"lang": "es", "value": "grub-btrfs hasta el 31-01-2026 (en Arch Linux y distribuciones derivadas) permite la inyecci\u00f3n de comandos del sistema operativo en initramfs porque no sanea el par\u00e1metro $root de resolve_device()."}], "id": "CVE-2026-25828", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-12T22:16:05.493", "references": [{"source": "cve@mitre.org", "url": "https://archlinux.org/packages/extra/any/grub-btrfs/"}, {"source": "cve@mitre.org", "url": "https://github.com/Antynea/grub-btrfs/tree/master"}, {"source": "cve@mitre.org", "url": "https://github.com/cardosource/CVE-2026-25828"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "product": "grub-btrfs", "vendor": "antynea"}], "analysis": {"en": {"generated_at": "2026-04-16T17:13:32.064504+00:00", "value": {"mitigation_remediation": ["Upgrade grub-btrfs to the latest version available from the Arch Linux repository, which includes a fix that sanitizes the $root parameter before calling resolve_device().", "If an immediate upgrade is not possible, consider disabling the grub-btrfs module or switching to the standard grub initramfs loader to eliminate the injection vector until the patch is applied.", "Implement monitoring of boot-time logs and root filesystem integrity checks to detect any unauthorized modifications that might indicate an attempted injection."], "summary": {"action": "Assess Impact", "impact": "OS command injection in initramfs via unsanitized $root parameter"}, "threat_synthesis": {"affected_systems": "Packages of the grub-btrfs utility on Arch Linux and derivative distributions up through the release dated 2026\u201101\u201131 are affected. The issue originates from the grub\u2011btrfs binary before this date, so any systems running that version or earlier on these distributions are at risk.", "description_and_impact": "grub-btrfs, used by Arch Linux and derivatives, contains a flaw that allows command injection during the initramfs stage because the $root parameter is passed to resolve_device() without sanitization. This weakness (CWE-78) permits an attacker to inject arbitrary shell commands while the system is booting, potentially allowing privilege escalation or full system compromise if they can influence the $root value. The description notes that exploitation may not be feasible under normal conditions and could depend on specific implementation details within resolve_device().", "risk_and_exploitability": "With a CVSS score of 5.4, the vulnerability is rated moderate but not critical. The EPSS rating is below 1\u202f%, indicating that the likelihood of exploitation is low in the general population. Because the vulnerability is not listed in the CISA KEV catalog, no widespread exploitation has been documented. However, if an attacker can influence the $root parameter \u2013 for example, by modifying boot loader configuration or deceiving a user into booting from a malicious source \u2013 they could execute commands during boot. The risk is therefore contingent upon environmental factors and local access."}}}}, "created": "2026-02-13T21:35:45.590992+00:00", "title": "Unsanitized $root Parameter in grub-btrfs Enables Initramfs Command Injection", "updated": "2026-04-16T17:15:17.995203+00:00", "vendors": ["antynea", "antynea$PRODUCT$grub-btrfs"]}