Loading
Linux June 01, 2026 6 min read

Understanding OOM (Out of Memory) in Linux

Introduction

If you’ve ever experienced a Linux server suddenly becoming unresponsive, a critical service unexpectedly stopping, or applications crashing without an obvious error, there’s a good chance an Out of Memory (OOM) event was involved.

The Linux kernel includes a built-in protection mechanism known as the OOM Killer, which is designed to keep the operating system running when available memory becomes critically low. While this mechanism helps prevent complete system failures, it can also terminate important processes, resulting in service disruptions and unexpected downtime.

In this article, we’ll explore what OOM is, how the Linux OOM Killer works, how to identify OOM events, and what administrators can do to prevent them.

What Is OOM?

OOM stands for Out of Memory.

A Linux system relies on both physical RAM and swap space to run applications and services. When available memory becomes exhausted and the kernel cannot satisfy new memory allocation requests, the system enters an Out of Memory state.

Rather than allowing the entire server to freeze, Linux activates the OOM Killer to reclaim memory by terminating one or more processes.

This allows the operating system to continue functioning even under severe memory pressure.

Why Do OOM Events Occur?

Several factors can contribute to memory exhaustion:

  • Applications consuming excessive memory
  • Memory leaks within software
  • Insufficient physical RAM
  • Lack of swap space
  • Large database workloads
  • High numbers of concurrent users
  • Browser-based automation tools
  • Poorly optimized applications

Consider a server with 4 GB of RAM running multiple services. If the combined memory requirements exceed available RAM and swap space, the kernel eventually reaches a point where it cannot allocate additional memory.

At that stage, the OOM Killer is triggered.

Understanding the Linux OOM Killer

The OOM Killer is a component of the Linux kernel responsible for recovering memory when the system is under extreme memory pressure.

When activated, the kernel evaluates running processes and calculates a score that determines how likely a process is to be terminated.

Factors that influence this decision include:

  • Current memory consumption
  • Process priority
  • Runtime duration
  • User privileges
  • OOM score adjustments

Processes consuming large amounts of memory are generally more likely to be selected.

Once the kernel chooses a target, it sends a SIGKILL signal, immediately terminating the process and freeing its memory resources.

Unlike normal shutdown signals, SIGKILL cannot be intercepted or ignored.

How Linux Chooses a Process to Kill

The OOM Killer does not randomly terminate applications.

Linux calculates what is commonly known as a badness score for each process. The process with the highest score becomes the most likely candidate for termination.

Administrators can view a process’s OOM score using:

cat /proc/<pid>/oom_score

A higher value indicates a higher probability of being selected during an OOM event.

Linux also provides an adjustment mechanism called oom_score_adj:

cat /proc/<pid>/oom_score_adj

To protect a critical process:

echo -1000 > /proc/<pid>/oom_score_adj

To make a process more likely to be terminated:

echo 1000 > /proc/<pid>/oom_score_adj

This feature is useful when protecting important services such as databases, monitoring systems, or infrastructure components.

The Sacrifice Child Principle

The Linux kernel often follows what is known as the Sacrifice Child Principle.

When deciding between a parent process and its child processes, Linux generally prefers terminating child processes first.

For example:

  • Web server worker processes
  • Application workers
  • Background task handlers
  • Browser subprocesses

This approach helps preserve the main application while reclaiming memory from less critical components.

However, if the parent process continues creating memory-intensive child processes, repeated OOM events may still occur.

How to Detect OOM Events

When troubleshooting memory-related issues, kernel logs are the first place to investigate.

Useful commands include:

dmesg | grep -i oom
dmesg | grep -i "Out of memory"
journalctl -k | grep -i oom

A typical OOM entry might look like:

Out of memory: Killed process 825316 (mysqld)

This indicates that the kernel selected and terminated the MySQL process to reclaim memory.

Understanding Memory Metrics

Understanding Linux memory metrics can help identify the root cause of OOM events.

Virtual Memory (VmSize)

Virtual memory represents the total memory mapped by a process.

cat /proc/<pid>/status | grep VmSize

A large virtual memory value does not necessarily mean the process is consuming large amounts of physical RAM.

Resident Set Size (RSS)

RSS represents the actual physical memory currently used by a process.

cat /proc/<pid>/status | grep VmRSS

The OOM Killer primarily considers real memory consumption, making RSS a more useful metric when troubleshooting.

Anonymous RSS

Anonymous RSS includes:

  • Heap memory
  • Stack memory
  • Dynamic allocations

These memory pages are not backed by files and typically contribute heavily to memory pressure.

File RSS

File RSS includes:

  • Shared libraries
  • Memory-mapped files
  • Cached file data

This memory can often be reclaimed more easily by the kernel.

Monitoring Memory Usage

Regular monitoring is one of the best ways to prevent OOM events.

View Overall Memory Usage

free -h

Monitor Running Processes

htop

View Detailed Process Information

top

Check Memory Information

cat /proc/meminfo

By monitoring memory trends over time, administrators can identify applications that gradually consume excessive resources before they become a problem.

How to Prevent OOM Events

1. Enable Swap Space

Swap provides additional virtual memory when physical RAM becomes exhausted.

Example:

fallocate -l 4G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

While swap is slower than RAM, it can help prevent sudden OOM situations.

2. Optimize Applications

Review memory-intensive workloads regularly.

Common improvements include:

  • Fixing memory leaks
  • Reducing cache sizes
  • Limiting worker processes
  • Optimizing application configurations
  • Updating outdated software

3. Monitor Memory Usage Continuously

Monitoring helps identify abnormal memory growth before it becomes critical.

Tools such as:

  • htop
  • top
  • vmstat
  • sar
  • Prometheus
  • Grafana

can provide valuable insights into system behavior.

4. Upgrade Server Resources

If workloads consistently exceed available resources, increasing physical RAM may be necessary.

Adding memory is often the simplest solution when application optimization is insufficient.

Best Practices

To minimize the risk of OOM events:

  • Enable swap space on production servers
  • Monitor memory usage regularly
  • Investigate abnormal memory growth
  • Review kernel logs frequently
  • Protect critical services using OOM score adjustments when appropriate
  • Keep software updated
  • Perform capacity planning before resource exhaustion occurs

Conclusion

The Linux OOM Killer is a critical safety mechanism designed to protect the operating system when memory resources become exhausted. While it helps prevent complete system failure, OOM events often indicate underlying resource constraints or application issues that require attention.

By understanding how the OOM Killer works, monitoring memory usage effectively, and implementing preventative measures such as swap space and application optimization, Linux administrators can significantly reduce the likelihood of unexpected service interruptions and maintain stable, reliable systems.

← Previous Article

Next Article →