CVE-2025-37863

ovl: don't allow datadir only

Severity Score

7.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MITRE
TN

In the Linux kernel, the following vulnerability has been resolved: ovl: don't allow datadir only In theory overlayfs could support upper layer directly referring to a data
layer, but there's no current use case for this. Originally, when data-only layers were introduced, this wasn't allowed,
only introduced by the "datadir+" feature, but without actually handling
this case, resulting in an Oops. Fix by disallowing datadir without lowerdir.

In the Linux kernel, the following vulnerability has been resolved: ovl: don't allow datadir only In theory overlayfs could support upper layer directly referring to a data layer, but there's no current use case for this. Originally, when data-only layers were introduced, this wasn't allowed, only introduced by the "datadir+" feature, but without actually handling this case, resulting in an Oops. Fix by disallowing datadir without lowerdir.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-05-09 CVE Published
2025-05-09 CVE Updated
2025-05-09 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/cc0918b3582c98f12cfb30bf7496496d14bff3e9	Vuln. Introduced
https://git.kernel.org/stable/c/24e16e385f2272b1a9df51337a5c32d28a29c7ad	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0874b629f65320778e7e3e206177770666d9db18	2025-04-25
https://git.kernel.org/stable/c/b9e3579213ba648fa23f780e8d53e99011c62331	2025-04-25
https://git.kernel.org/stable/c/21d2ffb0e9838a175064c22f3a9de97d1f56f27d	2025-04-25
https://git.kernel.org/stable/c/eb3a04a8516ee9b5174379306f94279fc90424c4	2025-04-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.23 < 6.6.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.23 < 6.6.88"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.12.25 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.12.25"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.14.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.14.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.15-rc3 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.15-rc3"		en		Affected