diff --git a/changelog/security/2024-05-16-glibc-2.38-r13.md b/changelog/security/2024-05-16-glibc-2.38-r13.md
new file mode 100644
index 0000000000..fb6d52c54a
--- /dev/null
+++ b/changelog/security/2024-05-16-glibc-2.38-r13.md
@@ -0,0 +1 @@
+- glibc ([CVE-2024-2961](https://nvd.nist.gov/vuln/detail/CVE-2024-2961), [CVE-2024-33599](https://nvd.nist.gov/vuln/detail/CVE-2024-33599), [CVE-2024-33600](https://nvd.nist.gov/vuln/detail/CVE-2024-33600), [CVE-2024-33601](https://nvd.nist.gov/vuln/detail/CVE-2024-33601), [CVE-2024-33602](https://nvd.nist.gov/vuln/detail/CVE-2024-33602))
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
index c62295ae83..7d3514d9b4 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
@@ -1,4 +1,4 @@
 DIST gcc-multilib-bootstrap-20201208.tar.xz 5528452 BLAKE2B 16699a6e4df5b2f28a21776ae9e3728b26a9ea251f5580aa5349545ad7c9f6145b9cb6a12ca8f5f96b9cb2a3c70b7e66ca702e4c6f083ac00408e0a20a69e613 SHA512 a243f505e17d0a7e144e8713c077582412f61d6cf7f79baa846de4fb77f5e0f27e11c9a785e14624e04ac52287b32164e7995323aa11caef59113ac438254347
-DIST glibc-2.38-patches-10.tar.xz 60792 BLAKE2B e228568f9e9cfa719ee9f2f91d220efa53e4eba617377fdf37bf7381b9f7c43036dfe62dd284b4228e9a99d41223ed0416ed058407a630b84064962518cba90b SHA512 573661299d75b63b7e2f771e9032193492e762e64cbb495b42bb7ad1021532f54f19d829a721e8070c79b2ad5edef077584cc4c76896d951cc93275592cf255c
+DIST glibc-2.38-patches-13.tar.xz 92708 BLAKE2B b2f05a793c92ea0b7901d2124fcd968fa846fdf687f8cbdbc17795c33fae2d538133fae66d575c5b98a7a05a29f9f816e7ecd45f3be5ed10ef65adbf92c7fc4d SHA512 24e45a88fa7676ef22a7e2bb864dff27262f69900c4ef76d21c6fee498d728949b6f5d03dd094d1774a66a8a47b779bf4b16ee31e5306bcdb55cedcc0a1c5e9f
 DIST glibc-2.38.tar.xz 18913712 BLAKE2B f9b039f0ef98a7dd8e1cba228ed10286b9e4fbe4dd89af4d26fa5c4e4cf266f19c2746b44d797ce54739d86499e74cf334aaf311bcf6e30120fd7748453e653f SHA512 a6dd5e42dcd63d58e2820c783522c8c895890b6e8c8e6c83b025553de0cc77cdf227e7044e431ead98c89c68a9ce4dd63509b47e647775fb2075f011849c1900
 DIST glibc-systemd-20210729.tar.gz 1480 BLAKE2B 37722c7579df782d890e44dbab99c3de52ab466eb9de80d82405e9bb5620bf39ffc8c5f466a435bdb86ef6d36dd7019c0736573916bda6c67d02a2581e0ec979 SHA512 efd75af58b50522c28cdac7abd1fc56555bc1bb042512c90d8340c1ec09c5791b3872a305bf83723252bbde5855b75d958c041083457765c4cfd170732d09238
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r10.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r13.ebuild
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r10.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r13.ebuild
index 7848c4ed4f..c28e70daaf 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r10.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.38-r13.ebuild
@@ -20,7 +20,7 @@ SLOT="2.2"
 EMULTILIB_PKG="true"
 
 # Gentoo patchset (ignored for live ebuilds)
-PATCH_VER=10
+PATCH_VER=13
 PATCH_DEV=dilfridge
 
 # gcc mulitilib bootstrap files version
@@ -576,10 +576,12 @@ setup_env() {
 	# Reset CC and CXX to the value at start of emerge
 	export CC=${glibc__ORIG_CC:-${CC:-$(tc-getCC ${CTARGET})}}
 	export CXX=${glibc__ORIG_CXX:-${CXX:-$(tc-getCXX ${CTARGET})}}
+	export CPP=${glibc__ORIG_CPP:-${CPP:-$(tc-getCPP ${CTARGET})}}
 
 	# and make sure glibc__ORIG_CC and glibc__ORIG_CXX is defined now.
 	export glibc__ORIG_CC=${CC}
 	export glibc__ORIG_CXX=${CXX}
+	export glibc__ORIG_CPP=${CPP}
 
 	if tc-is-clang && ! use custom-cflags && ! is_crosscompile ; then
 		export glibc__force_gcc=yes
@@ -606,6 +608,7 @@ setup_env() {
 		export CC="${current_gcc_path}/gcc"
 		export CPP="${current_gcc_path}/cpp"
 		export CXX="${current_gcc_path}/g++"
+		export CPP="$(tc-getCPP ${CTARGET})"
 		export LD="${current_binutils_path}/ld.bfd"
 		export AR="${current_binutils_path}/ar"
 		export AS="${current_binutils_path}/as"
@@ -644,6 +647,7 @@ setup_env() {
 	# acts on CC?)
 	export glibc__GLIBC_CC=${CC}
 	export glibc__GLIBC_CXX=${CXX}
+	export glibc__GLIBC_CPP=${CPP}
 
 	export glibc__abi_CFLAGS="$(get_abi_CFLAGS)"
 
@@ -659,6 +663,8 @@ setup_env() {
 	# Some of the tests are written in C++, so we need to force our multlib abis in, bug 623548
 	export CXX="${glibc__GLIBC_CXX} ${glibc__abi_CFLAGS} ${CFLAGS}"
 
+	export CPP="${glibc__GLIBC_CPP} ${glibc__abi_CFLAGS} ${CFLAGS}"
+
 	if is_crosscompile; then
 		# Assume worst-case bootstrap: glibc is built for the first time
 		# with ${CTARGET}-g++ not available yet. We avoid
@@ -1266,6 +1272,11 @@ glibc_src_test() {
 			ewarn "Skipping extra tests because in systemd-nspawn container"
 			XFAIL_TEST_LIST+=( "${XFAIL_NSPAWN_TEST_LIST[@]}" )
 		fi
+		if [[ "$(nice)" == "19" ]] ; then
+			# Expects to be able to increase niceness, which it can't do if
+			# already at the highest nice value
+			XFAIL_TEST_LIST+=( "tst-nice" )
+		fi
 
 		for myt in ${XFAIL_TEST_LIST[@]} ; do
 			myxfailparams+="test-xfail-${myt}=yes "