CVE-2025-37863

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-37863
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37863.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-37863
Downstream
Published
2025-05-09T06:43:54.250Z
Modified
2025-11-28T02:34:49.108974Z
Summary
ovl: don't allow datadir only
Details

In the Linux kernel, the following vulnerability has been resolved:

ovl: don't allow datadir only

In theory overlayfs could support upper layer directly referring to a data layer, but there's no current use case for this.

Originally, when data-only layers were introduced, this wasn't allowed, only introduced by the "datadir+" feature, but without actually handling this case, resulting in an Oops.

Fix by disallowing datadir without lowerdir.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37863.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cc0918b3582c98f12cfb30bf7496496d14bff3e9
Fixed
0874b629f65320778e7e3e206177770666d9db18
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
24e16e385f2272b1a9df51337a5c32d28a29c7ad
Fixed
b9e3579213ba648fa23f780e8d53e99011c62331
Fixed
21d2ffb0e9838a175064c22f3a9de97d1f56f27d
Fixed
eb3a04a8516ee9b5174379306f94279fc90424c4

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.88
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.25
Fixed
6.14.4