CVE-2025-37928: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's dm-bufio component, identified as CVE-2025-37928, was discovered and disclosed on May 20, 2025. The issue occurs when both CONFIG_DEBUG_ATOMIC_SLEEP and try_verify_in_tasklet are enabled, causing improper scheduling in atomic context (Wiz Report, NVD).

The vulnerability manifests when dm_bufio_lock calls spin_lock_bh with try_verify_in_tasklet enabled, causing __scan to be called in atomic context. This triggers a BUG when CONFIG_DEBUG_ATOMIC_SLEEP is enabled, resulting in a sleeping function call from an invalid context at drivers/md/dm-bufio.c:2421. The vulnerability has been assigned a CVSS v3.1 score of 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) (Red Hat CVE).

When exploited, this vulnerability can lead to system instability and potential crashes due to improper scheduling in atomic context. The issue specifically affects systems where both CONFIG_DEBUG_ATOMIC_SLEEP and try_verify_in_tasklet are enabled (Wiz Report).

The vulnerability has been resolved in the Linux kernel through patches that prevent scheduling in atomic context within the dm-bufio component. For Debian's stable distribution (bookworm), these problems have been fixed in version 6.1.140-1. Users are recommended to upgrade their Linux packages to the patched versions (Debian Security).