grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device().Referenceshttps://github.com/Antynea/grub-btrfs/tree/masterhttps://archlinux.org/packages/extra/any/grub-btrfs/https://github.com/cardosource/CVE-2026-25828
