Skip to main content

Linux CVE-2026-25828

MEDIUM
OS Command Injection (CWE-78)
2026-02-12 cve@mitre.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:02 vuln.today
CVE Published
Feb 12, 2026 - 22:16 nvd
MEDIUM 5.4

DescriptionCVE.org

grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device(). NOTE: a third party reports "exploitation may not be feasible under normal conditions and may depend on specific implementation details within resolve_device."

AnalysisAI

Authenticated users can inject arbitrary OS commands into the initramfs boot process through unsanitized input parameters in grub-btrfs versions through January 2026 on Arch Linux and derivatives. The vulnerability requires valid credentials and may have limited exploitability depending on specific system configurations. No patch is currently available for this medium-severity command injection flaw.

Technical ContextAI

Classified as CWE-78 (OS Command Injection). Affects grub-btrf. grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device(). NOTE: a third party reports "exploitation may not be feasible under normal conditions and may depend on specific implementation details within resolve_device."

Affected ProductsAI

Product: grub-btrf. Versions: up to 2026-01.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Share

CVE-2026-25828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy