CVE-2026-25828 is a critical command injection vulnerability in the grub-btrfs package used in Arch Linux and derivative distributions. The issue exists in the initramfs hook "grub-btrfs-overlayfs" which passes the $root kernel parameter directly into resolve_device() without proper sanitization, allowing an attacker with local or bootloader access to inject shell commands during early boot. Affected Product: - grub-btrfs – all versions up to 2026-01-31 on Arch and derivatives Vulnerability: Unsanitized usage of the $root variable from the kernel command line allows shell metacharacter injection and arbitrary code execution as root during boot. Proof of Concept: Example exploit modifying GRUB kernel line: linux /vmlinuz-linux root="/dev/sda1; echo 'root::0:0:root:/root:/bin/bash' >> /etc/passwd; #" rw quiet Impact: - Arbitrary command execution as root - Privilege escalation - System compromise during boot stage