CVE-2025-37863

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-37863
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37863.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-37863
Downstream
Published
2025-05-09T06:43:54.250Z
Modified
2026-03-20T12:42:31.392526Z
Summary
ovl: don't allow datadir only
Details

In the Linux kernel, the following vulnerability has been resolved:

ovl: don't allow datadir only

In theory overlayfs could support upper layer directly referring to a data layer, but there's no current use case for this.

Originally, when data-only layers were introduced, this wasn't allowed, only introduced by the "datadir+" feature, but without actually handling this case, resulting in an Oops.

Fix by disallowing datadir without lowerdir.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37863.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cc0918b3582c98f12cfb30bf7496496d14bff3e9
Fixed
0874b629f65320778e7e3e206177770666d9db18
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
24e16e385f2272b1a9df51337a5c32d28a29c7ad
Fixed
b9e3579213ba648fa23f780e8d53e99011c62331
Fixed
21d2ffb0e9838a175064c22f3a9de97d1f56f27d
Fixed
eb3a04a8516ee9b5174379306f94279fc90424c4

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37863.json"