diff --git a/driver/modern_bpf/definitions/missing_definitions.h b/driver/modern_bpf/definitions/missing_definitions.h
index 420d6ace3d1..ed7327c491a 100644
--- a/driver/modern_bpf/definitions/missing_definitions.h
+++ b/driver/modern_bpf/definitions/missing_definitions.h
@@ -1557,4 +1557,9 @@
 #define MODULE_INIT_COMPRESSED_FILE    4
 /*==================================== FINIT   FLAGS ================================*/
 
+/*==================================== OVERLAY FLAGS ================================*/
+#define DCACHE_DISCONNECTED 0x20
+#define OVL_E_UPPER_ALIAS      0
+/*==================================== OVERLAY FLAGS ================================*/
+
 #endif /* __MISSING_DEFINITIONS_H__ */
diff --git a/driver/modern_bpf/helpers/extract/extract_from_kernel.h b/driver/modern_bpf/helpers/extract/extract_from_kernel.h
index 5e68f3d0d77..d1d3b0ee27d 100644
--- a/driver/modern_bpf/helpers/extract/extract_from_kernel.h
+++ b/driver/modern_bpf/helpers/extract/extract_from_kernel.h
@@ -823,8 +823,7 @@ static __always_inline bool extract__exe_upper_layer(struct inode *inode, struct
 		struct dentry *dentry = (struct dentry *)BPF_CORE_READ(exe_file, f_path.dentry);
 
 		unsigned int d_flags = BPF_CORE_READ(dentry, d_flags);
-		// DCACHE_DISCONNECTED = 0x20
-		bool disconnected = (d_flags & 0x20);
+		bool disconnected = (d_flags & DCACHE_DISCONNECTED);
 		if(disconnected)
 		{
 			return true;
@@ -838,9 +837,13 @@ static __always_inline bool extract__exe_upper_layer(struct inode *inode, struct
 			struct ovl_entry___before_v6_5 *oe = (struct ovl_entry___before_v6_5*)BPF_CORE_READ(dentry, d_fsdata);
 			flags = (unsigned long)BPF_CORE_READ(oe, flags);
 		}
+		else
+		{
+			// kernel >=6.5
+			flags = (unsigned long)BPF_CORE_READ(dentry, d_fsdata);
+		}
 
-		// OVL_E_UPPER_ALIAS = 0
-		unsigned long has_upper = (flags & (1U << (0)));
+		unsigned long has_upper = (flags & (1U << (OVL_E_UPPER_ALIAS)));
 		if(has_upper)
 		{
 			return true;