CVE-2025-37863

ovl: don't allow datadir only

Description

In the Linux kernel, the following vulnerability has been resolved: ovl: don't allow datadir only In theory overlayfs could support upper layer directly referring to a data layer, but there's no current use case for this. Originally, when data-only layers were introduced, this wasn't allowed, only introduced by the "datadir+" feature, but without actually handling this case, resulting in an Oops. Fix by disallowing datadir without lowerdir.

N/A

CVSS

Severity:

EPSS 0.02%

Affected: Linux Linux

References

Link	Tags
https://git.kernel.org/stable/c/0874b629f65320778e7e3e206177770666d9db18
https://git.kernel.org/stable/c/b9e3579213ba648fa23f780e8d53e99011c62331
https://git.kernel.org/stable/c/21d2ffb0e9838a175064c22f3a9de97d1f56f27d
https://git.kernel.org/stable/c/eb3a04a8516ee9b5174379306f94279fc90424c4

Frequently Asked Questions

What is the severity of CVE-2025-37863?: CVE-2025-37863 has not yet been assigned a CVSS score.
How to fix CVE-2025-37863?: To fix CVE-2025-37863, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-37863 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-37863 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-37863?: CVE-2025-37863 affects Linux Linux, Linux Linux.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.