CVE-2025-38496: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38496 is a vulnerability discovered in the Linux kernel's dm-bufio component, specifically related to scheduling in atomic context. The issue was disclosed on July 28, 2025, affecting systems where 'try_verify_in_tasklet' is set for dm-verity, causing DM_BUFIO_CLIENT_NO_SLEEP to be enabled for dm-bufio (NVD).

The vulnerability occurs when bufio attempts to evict buffers, potentially triggering scheduling in spin_lock_bh. This results in a sleeping function being called from an invalid context at drivers/md/dm-bufio.c:2745. The issue manifests with specific conditions: in_atomic(): 1, irqs_disabled(): 0, non_block: 0, and involves multiple locks held by the kworker process (NVD).

When exploited, this vulnerability can cause system instability by triggering kernel warnings and potentially affecting the dm-verity functionality, which is crucial for maintaining verified boot and system integrity (Debian Tracker).

The vulnerability has been fixed in various Linux kernel versions. Debian has addressed this in bullseye (5.10.223-1) and bookworm (6.1.137-1) releases, while it remains vulnerable in trixie, forky, and sid distributions (Debian Tracker).