CVE-2024-57977: 
Linux Kernel vulnerability analysis and mitigation

A soft lockup vulnerability (CVE-2024-57977) was discovered in the Linux kernel's memory control group (memcg) functionality. The issue was found when approximately 56,000 tasks were in the OOM (Out Of Memory) cgroup, causing the system to get stuck while traversing them. This vulnerability was discovered in February 2025 and affects Linux kernel versions from 3.6 through 6.12.13 and 6.13 through 6.13.2 (NVD).

The vulnerability occurs in the memory control group (memcg) subsystem when traversing tasks during an OOM condition. When a large number of processes (around 56,000) are in the OOM cgroup, the system experiences a soft lockup while traversing them, with the CPU getting stuck for 23 seconds. The issue manifests as a watchdog BUG report with CPU#2 becoming unresponsive during the VM Thread execution. The vulnerability has been assigned a CVSS v3.1 score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to system performance degradation and potential denial of service conditions when the OOM killer process becomes stuck in a soft lockup state. This affects system stability and resource management capabilities, particularly in environments with a large number of processes under memory pressure (NVD).

The issue has been fixed by implementing two key changes in the kernel code: 1) Adding a call to 'condresched' in the 'memcgroupscantasks' function per 1000 iterations, and 2) Calling 'touchsoftlockupwatchdog' per 1000 iterations for global OOM situations. These changes have been implemented in the kernel patches (Kernel Patch).