CVE-2025-37802: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-37802 is a vulnerability discovered in the Linux kernel, specifically affecting the ksmbd component. The vulnerability was disclosed on May 8, 2025, and involves an issue where ksmbddurablescavenger_alive() attempts to acquire a mutex while in a sleeping state (NVD).

The vulnerability occurs when waiteventtimeout() sets the current task state to TASKUNINTERRUPTIBLE before performing the condition check. This leads to ksmbddurablescavengeralive() attempting to acquire a mutex while already in a sleeping state, triggering a scheduler warning: 'do not call blocking ops when !TASKRUNNING; state=2'. The issue was identified at the preparetowaitevent+0x9f/0x6c0 location (NVD).

The vulnerability affects multiple Linux distributions including Ubuntu versions 16.04 through 25.04, and various kernel configurations including AWS, Azure, and GCP deployments. Multiple Ubuntu releases are marked as vulnerable, including the latest LTS versions (Ubuntu).

The vulnerability has been addressed in some distributions, with fixes being rolled out across different versions. Debian 13 has implemented a fix, while Debian 11 and 12 remain without fixes. Ubuntu has marked this as a medium priority issue and is working on updates for affected versions (Wiz).