diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild
index bae06cc0fa..b277b7a7bb 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild
@@ -29,7 +29,7 @@ SLOT="0"
 IUSE="+btrfs hardened"
 
 DEPEND="btrfs? ( sys-fs/btrfs-progs )"
-RDEPEND="~app-emulation/docker-runc-1.1.4
+RDEPEND="~app-emulation/docker-runc-1.1.5
 	sys-libs/libseccomp"
 
 S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
index 522ba8235b..8fd3f19b0b 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
@@ -1 +1 @@
-DIST docker-runc-1.1.4.tar.gz 2337285 BLAKE2B b82beac54eb07cf0a657af910201fcff05579d7311bef9d07df1fc8b60fac2b9560b250366193f0f84319ced66bc3f1a1af1bb8a57233187e7ef77a7799b55e7 SHA512 c6665265369af843550181fe44217d0e4f5c3b019c47359bfe9db94dcbd1866c05756b09adea905437bbff8bcfd2b6b02185ca4e7f1d62ed3bf177118308e41a
+DIST docker-runc-1.1.5.tar.gz 2337543 BLAKE2B ed2aed98c4e8fcfe7040772df9e090e38a95355bcfa2948030866b83b8097794df9e0ebe2bb1a99f5c63a6d5300493d67493018957f6116ee07d66872f87bef3 SHA512 8a4cde9a8aaa5e1f75ec6731b18f56aa34ab969246f4a8d6ebfea5d100b0c113553bec49f29b851129d371a13c803c1e86425779eb8d498dba588c63d2a2ac57
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.4.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.5.ebuild
similarity index 94%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.4.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.5.ebuild
index 92254a06ea..4375e1bb59 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.4.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.5.ebuild
@@ -8,7 +8,7 @@ COREOS_GO_PACKAGE="${GITHUB_URI}"
 COREOS_GO_VERSION="go1.18"
 # the commit of runc that docker uses.
 # see https://github.com/docker/docker-ce/blob/v19.03.15/components/engine/hack/dockerfile/install/runc.installer#L4
-COMMIT_ID="81a44cf162f4409cc6ff656e2433b87321bf8a7a"
+COMMIT_ID="4ef48971e5d827018b74876a06e32ab7636f0a26"
 
 inherit eutils flag-o-matic coreos-go vcs-snapshot
 
@@ -55,7 +55,7 @@ src_compile() {
 	)
 
 	GOPATH="${WORKDIR}/${P}" emake BUILDTAGS="${options[*]}" \
-		VERSION=1.1.4+dev.docker-20.10 \
+		VERSION=1.1.5+dev.docker-20.10 \
 		COMMIT="${COMMIT_ID}"
 }
 
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch
index dba875395f..d9b38e9a88 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch
@@ -9,38 +9,38 @@ root. This allows us to apply the container SELinux label
 to mqueue.
 
 Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
+(dpark: Adjust the logic according to the new code of v1.1.5)
+Signed-off-by: Dongsu Park <dpark@linux.microsoft.com>
 ---
  libcontainer/nsenter/nsexec.c | 12 +++++++++++-
  1 file changed, 11 insertions(+), 1 deletion(-)
 
 diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
-index 0ad68834..5100698a 100644
+index 2d224bab..4865261f 100644
 --- a/libcontainer/nsenter/nsexec.c
 +++ b/libcontainer/nsenter/nsexec.c
-@@ -719,7 +719,12 @@ void nsexec(void)
+@@ -1241,7 +1241,12 @@ void nsexec(void)
  			 * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
  			 * was broken, so we'll just do it the long way anyway.
  			 */
- 			write_log(DEBUG, "unshare remaining namespace (except cgroupns)");
--			if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
+-			try_unshare(config.cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
 +			uint32_t apply_cloneflags = config.cloneflags;
 +			if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
 +				apply_cloneflags &= ~CLONE_NEWIPC;
 +			}
 +
-+			if (unshare(apply_cloneflags & ~CLONE_NEWCGROUP) < 0)
- 				bail("failed to unshare remaining namespaces (except cgroupns)");
++			try_unshare(apply_cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
  
- 			/*
-@@ -841,6 +846,11 @@ void nsexec(void)
- 					bail("setgroups failed");
+ 			/* Ask our parent to send the mount sources fds. */
+ 			if (config.mountsources) {
+@@ -1362,6 +1367,10 @@ void nsexec(void)
+ 				try_unshare(CLONE_NEWCGROUP, "cgroup namespace");
  			}
  
 +			if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
-+				if (unshare(CLONE_NEWIPC) < 0)
-+					bail("unshare ipc failed");
++				try_unshare(CLONE_NEWIPC, "ipc namespace");
 +			}
 +
- 			/*
- 			 * Wait until our topmost parent has finished cgroup setup in
- 			 * p.manager.Apply().
+ 			write_log(DEBUG, "signal completion to stage-0");
+ 			s = SYNC_CHILD_FINISH;
+ 			if (write(syncfd, &s, sizeof(s)) != sizeof(s))
diff --git a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild
index 4f269fbfa9..0e81e22253 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild
@@ -15,7 +15,7 @@ RDEPEND="
 	~app-emulation/docker-cli-20.10.23
 	~app-emulation/containerd-1.6.19
 	~app-emulation/docker-proxy-0.8.0_p20210525
-	~app-emulation/docker-runc-1.1.4
+	~app-emulation/docker-runc-1.1.5
 	=dev-libs/libltdl-2.4.7
 	~sys-process/tini-0.19.0
 "
diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2023-04-11-runc-1.1.5.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2023-04-11-runc-1.1.5.md
new file mode 100644
index 0000000000..d8d6d14737
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2023-04-11-runc-1.1.5.md
@@ -0,0 +1 @@
+- runc ([CVE-2023-25809](https://nvd.nist.gov/vuln/detail/CVE-2023-25809), [CVE-2023-27561](https://nvd.nist.gov/vuln/detail/CVE-2023-27561), [CVE-2023-28642](https://nvd.nist.gov/vuln/detail/CVE-2023-28642))
diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2023-03-30-runc-1.1.5-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2023-03-30-runc-1.1.5-update.md
new file mode 100644
index 0000000000..8367fcbdd7
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2023-03-30-runc-1.1.5-update.md
@@ -0,0 +1 @@
+- runc ([1.1.5](https://github.com/opencontainers/runc/releases/tag/v1.1.5))