diff --git a/lib/setup.c b/lib/setup.c
index e3d00b7a..e8ba7041 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -2904,6 +2904,23 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot)
 	return LUKS2_keyslot_wipe(cd, &cd->u.luks2.hdr, keyslot, 0);
 }
 
+static int _check_header_data_overlap(struct crypt_device *cd, const char *name)
+{
+	if (!name || !isLUKS(cd->type))
+		return 0;
+
+	if (!device_is_identical(crypt_data_device(cd), crypt_metadata_device(cd)))
+		return 0;
+
+	/* FIXME: check real header size */
+	if (crypt_get_data_offset(cd) == 0) {
+		log_err(cd, _("Device header overlaps with data area."));
+		return -EINVAL;
+	}
+
+	return 0;
+}
+
 /*
  * Activation/deactivation of a device
  */
@@ -2923,6 +2940,10 @@ static int _activate_by_passphrase(struct crypt_device *cd,
 	if ((flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) && name)
 		return -EINVAL;
 
+	r = _check_header_data_overlap(cd, name);
+	if (r < 0)
+		return r;
+
 	/* plain, use hashed passphrase */
 	if (isPLAIN(cd->type)) {
 		if (!name)
@@ -3123,6 +3144,10 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
 	if (r < 0)
 		return r;
 
+	r = _check_header_data_overlap(cd, name);
+	if (r < 0)
+		return r;
+
 	/* use key directly, no hash */
 	if (isPLAIN(cd->type)) {
 		if (!name)