CVE-2025-37863

Summary

In the Linux kernel, the following vulnerability has been resolved:

ovl: don't allow datadir only

In theory overlayfs could support upper layer directly referring to a data layer, but there's no current use case for this.

Originally, when data-only layers were introduced, this wasn't allowed, only introduced by the "datadir+" feature, but without actually handling this case, resulting in an Oops.

Fix by disallowing datadir without lowerdir.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxcc0918b3582c98f12cfb30bf7496496d14bff3e9 < 0874b629f65320778e7e3e206177770666d9db18affected
LinuxLinux24e16e385f2272b1a9df51337a5c32d28a29c7ad < b9e3579213ba648fa23f780e8d53e99011c62331affected
LinuxLinux24e16e385f2272b1a9df51337a5c32d28a29c7ad < 21d2ffb0e9838a175064c22f3a9de97d1f56f27daffected
LinuxLinux24e16e385f2272b1a9df51337a5c32d28a29c7ad < eb3a04a8516ee9b5174379306f94279fc90424c4affected
LinuxLinux6.6.23 < 6.6.88affected
LinuxLinux6.7affected
LinuxLinux0 < 6.7unaffected
LinuxLinux6.6.88 <= 6.6.*unaffected
LinuxLinux6.12.25 <= 6.12.*unaffected
LinuxLinux6.14.4 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

References