This is the somewhat-delayed^Wlong-awaited first stable release of the
1.5.z release branch of runc. It contains a handful of fixes for issues
found in 1.5.0-rc.3 and an important dependency bump for libpathrs.

This is the third release of runc following our new release and support
policy (see RELEASES.md for more details). This means that, as of this
release:

• The runc 1.2.z (and earlier) release branches are now completely
  unsupported.
• The runc 1.3.z release branch will now only receive high severity
  CVE fixes, and will no longer be supported in less than 6 months (end
  of October 2026).
• The runc 1.4.z release branch will now only recieve security and
  "significant" bugfixes.
• Users are encouraged to plan migrating to runc 1.5.0 as soon as
  possible.
• Despite this release being delayed by over a month, users should
  still expect a runc 1.6.0 release in late October 2026.

Added

• runc version and runc features now provide version information about
  libpathrs (when runc is built with the libpathrs build tag). (#5291, #5328)

Fixed

• Since runc 1.3.0, the org.opencontainers.runc.version annotation included
  in runc features contained an extraneous \n, possibly causing issues with
  tools that parse the output. It is now properly stripped. (#5329, #5330,
  #5331, #5335)

Changed

• runc (when built with the libpathrs build tag) now depends on libpathrs
  v0.2.5 or later, and attempting to build with older versions will cause
  compilation errors. (#5291, #5328)
• Switched to go-criu v8.3.0, which reduces our binary size from ~16MB to
  ~14MB. (#5312, #5326)

Static Linking Notices

The runc binaries distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

Similarly, the runc binaries distributed with this release are also
statically linked with the following MPLv2 licensed libraries,
with runc acting as a "Larger Work":

• libpathrs

The versions of these libraries were not modified from their upstream versions,
but in order to comply with their corresponding licenses, we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under their respective
licenses.

However, we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors who made this release possible:

• Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
• Aleksa Sarai cyphar@cyphar.com
• Kir Kolyshkin kolyshkin@gmail.com
• Rodrigo Campos Catelin rodrigo@amutable.com

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

This is the third release candidate for the 1.5.z series of runc. Among
some performance improvements and bugfixes, it includes a fix for a
low-severity vulnerability (CVE-2026-41579) and users are encouraged to
update. As it was a low-severity vulnerability and it was reported by
multiple people, we decided to release it publicly with NO EMBARGO.

We plan to release 1.5.0 in the next two weeks.

Security

This release includes a fix for the following low-severity security issue:

• CVE-2026-41579 allowed a malicious image with a /dev symlink to have
  limited write access to the host filesystem in ways that our analysis
  indicates was too limited to be problematic in practice. This bug was very
  similar to those fixed in CVE-2025-31133, CVE-2025-52565,
  CVE-2025-31133 and was simply missed at the time when we hardened the
  rootfs preparation code. We have conducted a deeper audit and not found any
  other problematic cases.

libcontainer API

• The cmsg helpers from github.com/opencontainers/runc/libcontainer/utils
  have been moved to an internal package. We have included wrapper functions
  but they will be removed in runc 1.6. (#5227, #5231)
• Added //go:fix inline to ease migration for libcontainer/devices symbols
  that are deprecated and scheduled for removal in runc 1.6. (#5223, #5225)

Fixed

• runc list now correctly handles non-existant --root arguments. (#5297,
  #5301)
• Various integration test improvements. (#5222, #5226, #5232, #5239, #5230,
  #5236, #5246, #5248, #5279, #5283, #5269, #5286, #5295, #5303)

Changed

• When masking directories with maskPaths, runc will now re-use a single
  tmpfs instance (which is not writable) to reduce the number tmpfs
  superblocks that need to be reaped when containers die (in particular,
  Kubernetes applies masks to per-CPU sysfs directories which get expensive
  quickly). (#5275, #5280)

Static Linking Notices

The runc binaries distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

Similarly, the runc binaries distributed with this release are also
statically linked with the following MPLv2 licensed libraries,
with runc acting as a "Larger Work":

• libpathrs

The versions of these libraries were not modified from their upstream versions,
but in order to comply with their corresponding licenses, we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under their respective
licenses.

However, we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
• Aleksa Sarai cyphar@cyphar.com
• Davanum Srinivas davanum@gmail.com
• Kevin Berry kpberry11@gmail.com
• Kir Kolyshkin kolyshkin@gmail.com
• Li Fubang lifubang@acmcoder.com
• RedMakeUp girafeeblue@gmail.com
• Ricardo Branco rbranco@suse.de
• Rodrigo Campos Catelin rodrigo@amutable.com
• Sebastiaan van Stijn github@gone.nl

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

This is the third patch release of the 1.4.z series of runc. Among some
performance improvements and bugfixes, it includes a fix for a
low-severity vulnerability (CVE-2026-41579) and users are encouraged to
update. As it was a low-severity vulnerability and it was reported by
multiple people, we decided to release it publicly with NO EMBARGO.

Security

This release includes a fix for the following low-severity security issue:

• CVE-2026-41579 allowed a malicious image with a /dev symlink to have
  limited write access to the host filesystem in ways that our analysis
  indicates was too limited to be problematic in practice. This bug was very
  similar to those fixed in CVE-2025-31133, CVE-2025-52565,
  CVE-2025-31133 and was simply missed at the time when we hardened the
  rootfs preparation code. We have conducted a deeper audit and not found any
  other problematic cases.

Fixed

• Various integration test improvements. (#5222, #5237, #5226, #5229, #5239,
  #5249, #5269, #5287, #5295, #5304)

Changed

• When masking directories with maskPaths, runc will now re-use a single
  tmpfs instance (which is not writable) to reduce the number tmpfs
  superblocks that need to be reaped when containers die (in particular,
  Kubernetes applies masks to per-CPU sysfs directories which get expensive
  quickly). (#5275, #5281)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
• Aleksa Sarai cyphar@cyphar.com
• Ayato Tokubi atokubi@redhat.com
• Davanum Srinivas davanum@gmail.com
• Kevin Berry kpberry11@gmail.com
• Kir Kolyshkin kolyshkin@gmail.com
• Li Fubang lifubang@acmcoder.com
• Ricardo Branco rbranco@suse.de
• Rodrigo Campos Catelin rodrigo@amutable.com
• Tianon Gravi admwiggin@gmail.com

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

This is the sixth patch release of the 1.3.z series of runc. Among some
performance improvements and bugfixes, it includes a fix for a
low-severity vulnerability (CVE-2026-41579) and users are encouraged to
update. As it was a low-severity vulnerability and it was reported by
multiple people, we decided to release it publicly with NO EMBARGO.

Security

This release includes a fix for the following low-severity security issue:

• CVE-2026-41579 allowed a malicious image with a /dev symlink to have
  limited write access to the host filesystem in ways that our analysis
  indicates was too limited to be problematic in practice. This bug was very
  similar to those fixed in CVE-2025-31133, CVE-2025-52565,
  CVE-2025-31133 and was simply missed at the time when we hardened the
  rootfs preparation code. We have conducted a deeper audit and not found any
  other problematic cases.

  This patchset required backports for #5190 and #5285, which were primarily
  code reorganisations that were already backported to runc 1.4 and 1.5.

Fixed

• A regression in runc v1.3.0 which can result in a stuck runc exec or
  runc run when the container process runs for a short time. (#5208,
  #5210, #5215)
• Various integration test improvements. (#5159, #5188, #5226, #5228, #5239,
  #5253, #5269, #5288)

Changed

• When masking directories with maskPaths, runc will now re-use a single
  tmpfs instance (which is not writable) to reduce the number tmpfs
  superblocks that need to be reaped when containers die (in particular,
  Kubernetes applies masks to per-CPU sysfs directories which get expensive
  quickly). (#5275, #5281)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Aleksa Sarai cyphar@cyphar.com
• Ayato Tokubi atokubi@redhat.com
• Davanum Srinivas davanum@gmail.com
• Kevin Berry kpberry11@gmail.com
• Kir Kolyshkin kolyshkin@gmail.com
• Ricardo Branco rbranco@suse.de
• Rodrigo Campos Catelin rodrigo@amutable.com
• Li Fubang lifubang@acmcoder.com

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

This is the second release candidate of the runc 1.5.0 release. It
mostly contains build fixes and improvements, but also includes
a new minor feature and some deprecations.
runc v1.5.0-rc.2 includes all of the patches backported to runc v1.4.2.

Users are strongly encouraged to test our release candidates over the
next few weeks so we can fix issues before the general release. You
should expect runc 1.5.0 to be released at the end of April 2026 (at
which point, runc 1.3.z will only receive high-severity security fixes
for 6 months and runc 1.2.z will become unmaintained -- users are thus
very strongly encouraged to migrate to a newer version).

Fixed

• Building with libpathrs for systems that use non-GNU awk, e.g. Debian.
  (#5196, #5194)

Added

• Installation notes for libpathrs. (#5199, #5195)
• Support for specs.LinuxSeccompFlagWaitKillableRecv. (#5183, #5172)
• When building runc, RUNC_BUILDTAGS make or shell environment variable can
  be used to add build tags and/or remove existing build tags (when a tag is
  prefixed with -). (#5198, #5171)

Changed

• runc now requires Go 1.25+ to build. (#5211, #5205)
• libcontainer now pre-opens container root filesystem and uses the file
  descriptor (rather than the path) for most operations related to container
  root during container start. (#5204, #5190)

Deprecated

• EXTRA_BUILDTAGS make variable is deprecated in favor of RUNC_BUILDTAGS
  and will be removed in runc 1.6. (#5171, #5198)
• libcontainer/devices has been deprecated in favour of
  github.com/moby/sys/devices (which is a carbon copy of the package). It
  will be removed in runc 1.6. (#5220, #5142)

Static Linking Notices

The runc binaries distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

Similarly, the runc binaries distributed with this release are also
statically linked with the following MPLv2 licensed libraries,
with runc acting as a "Larger Work":

• libpathrs

The versions of these libraries were not modified from their upstream versions,
but in order to comply with their corresponding licenses, we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under their respective
licenses.

However, we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Akhil Mohan akhilerm@gmail.com
• Aleksa Sarai cyphar@cyphar.com
• Ayato Tokubi atokubi@redhat.com
• Kir Kolyshkin kolyshkin@gmail.com
• Li Fubang lifubang@acmcoder.com
• Rodrigo Campos Catelin rodrigo@amutable.com

Signed-off-by: Kir Kolyshkin kolyshkin@gmail.com

This is the second patch release of the 1.4.z release series of runc.

Fixed

• A regression in runc v1.3.0 which can result in a stuck runc exec or
  runc run when the container process runs for a short time. (#5208,
  #5210, #5216)

• Mount sources that need to be open on the host are now closed earlier during
  container start, reducing the total amount of used file descriptors and
  helping to avoid hitting the open files limit when handling many such mounts.
  (#5177, #5201)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Ayato Tokubi atokubi@redhat.com
• Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
• Aleksa Sarai cyphar@cyphar.com
• Kir Kolyshkin kolyshkin@gmail.com
• Li Fubang lifubang@acmcoder.com
• Rodrigo Campos Catelin rodrigo@amutable.com

Signed-off-by: Kir Kolyshkin kolyshkin@gmail.com

This is the fifth patch release of the 1.3.z release series of runc,
and primarily contains a few fixes for issues found in 1.3.4.

Fixed

• Recursive atime-related mount flags (rrelatime et al.) are now applied
  properly. (#5115, #5098)
• PR #4757 caused a regression that resulted in spurious
  cannot start a container that has stopped errors when
  running runc create and has thus been reverted. (#5158,
  #5153, #5151, #4645, #4757)

Changed

• Updated builds to Go 1.25, libseccomp v2.6.0. (#5111, #5053)
• Minor signing keyring updates. (#5146, #5139, #5144, #5148)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Aleksa Sarai cyphar@cyphar.com
• Kir Kolyshkin kolyshkin@gmail.com
• Li Fu Bang lifubang@acmcoder.com
• Ricardo Branco rbranco@suse.de

This is the first release candidate of the runc 1.5.0 release. It
contains a couple of new features, but is mostly made up of various
cleanups (such as the removal of many deprecated APIs) and improvements.
runc v1.5.0-rc.1 includes all of the patches backported to runc v1.4.1.

Users are strongly encouraged to test our release candidates over the
next two months so we can fix issues before the general release. You
should expect runc 1.5.0 to be released at the end of April 2026 (at
which point, runc 1.3.z will only receive high-severity security fixes
for 6 months and runc 1.2.z will become unmaintained -- users are thus
very strongly encouraged to migrate to a newer version).

libcontainer API

• The following deprecated Go APIs have been removed:
  • CleanPath, StripRoot, and WithProcfd from libcontainer/utils. Note
    that WithProcfdFile has not been removed (due to import cycle issues) but
    is instead marked as internal in its godoc comment. (#5051)
  • All of the cgroup-related types and functions from libcontainer/configs
    which are now maintained in github.com/opencontainers/cgroups (#5141):
    • libcontainer/configs.Cgroup
    • libcontainer/configs.Resources
    • libcontainer/configs.FreezerState
    • libcontainer/configs.LinuxRdma
    • libcontainer/configs.BlockIODevice
    • libcontainer/configs.WeightDevice
    • libcontainer/configs.ThrottleDevice
    • libcontainer/configs.HugepageLimit
    • libcontainer/configs.IfPrioMap
    • libcontainer/configs.Undefined
    • libcontainer/configs.Frozen
    • libcontainer/configs.Thawed
    • libcontainer/configs.NewWeightDevice
    • libcontainer/configs.NewThrottleDevice
  • libcontainer/configs.HookList.RunHooks. (#5141)
  • libcontainer/configs.MPOL_* (#5141)
  • All of the types in libcontainer/devices which are now maintained in
    github.com/opencontainers/cgroups/devices/config (#5141):
    • libcontainer/devices.Wildcard
    • libcontainer/devices.WildcardDevice
    • libcontainer/devices.BlockDevice
    • libcontainer/devices.CharDevice
    • libcontainer/devices.FifoDevice
    • libcontainer/devices.Device
    • libcontainer/devices.Permissions
    • libcontainer/devices.Type
    • libcontainer/devices.Rule
• libcontainer.Process methods (Wait, Pid, Signal) and
  libcontainer/configs.Config methods (HostUID, HostRootUID, HostGID,
  HostRootGID) now use pointer receivers. (#5088)
• The example code for libcontainer has been moved out of a README and into
  a proper Example* test file that will be compile-tested by our CI. As
  mentioned elsewhere, we still do not recommend users make use of the
  libcontainer API directly. (#5127)

Deprecated

• The libcontainer/configs.Mount.Relabel configuration field (used to relabel
  mounts with the z and Z "pseudo" mount options) was never accessible
  outside of the libcontainer API, and in practice the relabel logic has always
  lived in higher level runtimes. It has been made into a no-op and the field
  will be removed entirely in runc 1.7. (#5152, #5160)

Removed

• The memfd-bind helper binary has been removed, as it has never been
  particularly useful and was completely obsoleted by the changes to
  /proc/self/exe sealing we introduced in runc 1.2.0. (#5141)

Added

• User-namespaced containers can now configure user.* sysctls. (#4889)
• Intel RDT: the RDT subdirectory is now only removed if runc created it,
  matching the updated runtime-spec guidance. (#3832, #5155)

Changed

• Our release binaries and default build configuration now use libpathrs by
  default, providing better hardening against certain kinds of attacks. Users
  of runc should not see any changes as a result of this, but packagers will
  need to adjust their packaging accordingly. runc can still be built without
  libpathrs (by building without the libpathrs build tag), but we currently
  plan to make runc 1.6 require libpathrs. (#5103)
• runc exec will now request systemd to move the exec process into the
  container cgroup, making the procedure more rootless-friendly. (#4822)
• seccomp: minor documentation updates. (#4902)
• Errors from runc init have historically been quite painful to understand
  and debug, we have made several improvements to make them more comprehensive
  and thus useful when debugging issues. (#4951, #4928)
• Update spec conformance documentation for OCI runtime-spec v1.3.0. (#4948,
  #5150)
• Our release archives now have the name runc-$version.tar.xz to make distro
  packaging a little easier by matching the filename to the top-level directory
  name in the archive. (#5052)

Static Linking Notices

The runc binaries distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

Similarly, the runc binaries distributed with this release are also
statically linked with the following MPLv2 licensed libraries,
with runc acting as a "Larger Work":

• libpathrs

The versions of these libraries were not modified from their upstream versions,
but in order to comply with their corresponding licenses, we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under their respective
licenses.

However, we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
• Aleksa Sarai aleksa@amutable.com
• Antti Kervinen antti.kervinen@intel.com
• Ariel Otilibili otilibil@eurecom.fr
• Arina Cherednik arinacherednik034@gmail.com
• Curd Becker me@curd-becker.de
• Dimitri John Ledkov dimitri.ledkov@surgut.co.uk
• Donet Tom donettom@linux.ibm.com
• Efim Verzakov efimverzakov@gmail.com
• Ismo Puustinen ismo.puustinen@intel.com
• Joshua Rogers MegaManSec@users.noreply.github.com
• Kir Kolyshkin kolyshkin@gmail.com
• Lei Wang ssst0n3@gmail.com
• Li Fubang lifubang@acmcoder.com
• Luke Hinds luke@stacklok.com
• Markus Lehtonen markus.lehtonen@intel.com
• Osama Abdelkader osama.abdelkader@gmail.com
• Phil Estes estesp@gmail.com
• Ricardo Branco rbranco@suse.de
• Rodrigo Campos Catelin rodrigo@amutable.com
• Tianon Gravi admwiggin@gmail.com
• Tycho Andersen tycho@tycho.pizza
• Tõnis Tiigi tonistiigi@gmail.com
• Vishal Chourasia vishalc@linux.ibm.com
• zhaixiaojuan zhaixiaojuan@loongson.cn

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

This is the first patch release of the 1.4.z release series of runc.
It primarily includes some fixes for issues found in 1.4.0.

Deprecated

• libcontainer/configs.MPOL_* constants added in runc 1.4.0. (#5110, #5055)

Added

• Preliminary loong64 support. (#5062, #4938)

Fixed

• libct: fix panic in initSystemdProps when processing certain systemd
  properties in the OCI spec. (#5161, #5133)
• libct: fix several file descriptor leaks on error paths. (#5168, #5009)
• Remove unnecessary crypto/tls dependency by open-coding the systemd socket
  activation logic, allowing us to more easily avoid false positive CVE
  warnings. (#5093, #5057)
• Remove legacy os.Is* error usage, improving error type detection to make
  our error fallback paths more robust. (#5162, #5061)
• Go 1.26 has started enforcing a restriction of os/exec.Cmd which caused
  issues with our usage of CLONE_INTO_CGROUP (on newer kernels). This has now
  been resolved. (#5116, #5091)
• Recursive atime-related mount flags (rrelatime et al.) are now applied
  properly. (#5114, #5098)
• Fix a regression in runc exec due to CLONE_INTO_CGROUP in the
  (inadvisable) scenario where a container is configured without cgroup
  namespaces and with /sys/fs/cgroup mounted rw. (#5117, #5101)
• On machines with more than 1024 CPU cores, our logic for resetting the CPU
  affinity will now correctly reset the affinity onto all available cores
  (not just the first 1024). (#5149, #5025)
• PR #4757 caused a regression that resulted in spurious
  cannot start a container that has stopped errors when running
  runc create and has thus been reverted. (#5157, #5153, #5151, #4645, #4757)

Changed

• Previously we made an attempt to make our runc.armhf release binaries work
  with ARMv6 (which would allow runc to work on the original Raspberry Pi).
  Unfortunately, this has effectively always been broken (because we
  cross-compile libseccomp within a Debian container and statically link to
  it) and so we are now officially matching the Debian definition of armhf
  (that is, ARMv7). (#5167, #5103)
• Minor signing keyring updates. (#5147, #5139, #5144, #5148)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
• Aleksa Sarai cyphar@cyphar.com
• Antti Kervinen antti.kervinen@intel.com
• Ariel Otilibili otilibil@eurecom.fr
• Arina Cherednik arinacherednik034@gmail.com
• Curd Becker me@curd-becker.de
• Dimitri John Ledkov dimitri.ledkov@surgut.co.uk
• Efim Verzakov efimverzakov@gmail.com
• Kir Kolyshkin kolyshkin@gmail.com
• Li Fu Bang lifubang@acmcoder.com
• Luke Hinds luke@stacklok.com
• Ricardo Branco rbranco@suse.de
• Rodrigo Campos rata@users.noreply.github.com
• Zhai Xiao Juan zhaixiaojuan@loongson.cn

This is the first release of the 1.4.z release branch of runc. It
contains a few fixes for issues found in 1.4.0-rc.3. This version of
runc supports runtime-spec v1.3 (see docs/spec-conformance.md for the
few features that are still missing).

This is the second release of runc following our new release and support
policy (see RELEASES.md for more details). This means that, as of this
release:

• The runc 1.2.z release branch will now only receive high severity
  CVE fixes, and will no longer be supported in less than 6 months (end
  of April 2026).
• The runc 1.3.z release branch will now only receive security and
  "significant" bugfixes.
• Users are encouraged to plan migrating to runc 1.4.0 as soon as
  possible.
• Despite this release being delayed by a month, users should still
  expect a runc 1.5.0 release in late April 2026.

Deprecated

• Deprecate cgroup v1. (#4956)
• Deprecate CleanPath, StripRoot, WithProcfd, and WithProcfdFile from
  libcontainer/utils. (#4985)

Breaking

• The handling of pids.limit has been updated to match the newer guidance
  from the OCI runtime specification. In particular, now a maximum limit value
  of 0 will be treated as an actual limit (due to limitations with systemd,
  it will be treated the same as a limit value of 1). We only expect users
  that explicitly set pids.limit to 0 will see a behaviour change.
  (opencontainers/cgroups#48, #4949)

Fixed

• cgroups: provide iocost statistics for cgroupv2. (opencontainers/cgroups#43)
• cgroups: retry DBus connection when it fails with EAGAIN.
  (opencontainers/cgroups#45)
• cgroups: improve cpuacct.usage_all resilience when parsing data from
  patched kernels (such as the Tencent kernels). (opencontainers/cgroups#46,
  opencontainers/cgroups#50)
• libct: close child fds on prepareCgroupFD error. (#4936)
• libct: fix mips compilation. (#4962, #4967)
• When configuring a tmpfs mount, only set the mode= argument if the target
  path already existed. This fixes a regression introduced in our
  CVE-2025-52881 mitigation patches. (#4971, #4976)
• Fix various file descriptor leaks and add additional tests to detect them as
  comprehensively as possible. (#5007, #5021, #5034)
• The "hallucination" helpers added as part of the CVE-2025-52881
  mitigation have been made more generic and now apply to all of our pathrs
  helper functions, which should ensure we will not regress dangling symlink
  users. (#4985)

Changed

• libct: switch to (*CPUSet).Fill. (#4927)
• docs/spec-conformance.md: update for spec v1.3.0. (#4948)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
• Aleksa Sarai cyphar@cyphar.com
• Kir Kolyshkin kolyshkin@gmail.com
• Li Fu Bang lifubang@acmcoder.com
• Rodrigo Campos rata@users.noreply.github.com
• Tianon Gravi admwiggin@gmail.com