grub-btrfs, used by Arch Linux and derivatives, contains a flaw that allows command injection during the initramfs stage because the $root parameter is passed to resolve_device() without sanitization. This weakness (CWE-78) permits an attacker to inject arbitrary shell commands while the system is booting, potentially allowing privilege escalation or full system compromise if they can influence the $root value. The description notes that exploitation may not be feasible under normal conditions and could depend on specific implementation details within resolve_device().

Packages of the grub-btrfs utility on Arch Linux and derivative distributions up through the release dated 2026‑01‑31 are affected. The issue originates from the grub‑btrfs binary before this date, so any systems running that version or earlier on these distributions are at risk.

With a CVSS score of 5.4, the vulnerability is rated moderate but not critical. The EPSS rating is below 1 %, indicating that the likelihood of exploitation is low in the general population. Because the vulnerability is not listed in the CISA KEV catalog, no widespread exploitation has been documented. However, if an attacker can influence the $root parameter – for example, by modifying boot loader configuration or deceiving a user into booting from a malicious source – they could execute commands during boot. The risk is therefore contingent upon environmental factors and local access.