diff --git a/changelog/security/2024-02-12-runc.md b/changelog/security/2024-02-12-runc.md
new file mode 100644
index 0000000000..440109af62
--- /dev/null
+++ b/changelog/security/2024-02-12-runc.md
@@ -0,0 +1 @@
+- runc ([CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626))
diff --git a/changelog/updates/2024-02-12-runc.md b/changelog/updates/2024-02-12-runc.md
new file mode 100644
index 0000000000..ae9ce30e02
--- /dev/null
+++ b/changelog/updates/2024-02-12-runc.md
@@ -0,0 +1 @@
+- runc ([1.1.12](https://github.com/opencontainers/runc/releases/tag/v1.1.12))
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-1.6.16.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-1.6.16-r1.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-1.6.16.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-1.6.16-r1.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild
index a3d01b050a..064742d05f 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild
@@ -29,7 +29,7 @@ SLOT="0"
 IUSE="+btrfs hardened"
 
 DEPEND="btrfs? ( sys-fs/btrfs-progs )"
-RDEPEND="~app-emulation/docker-runc-1.1.4
+RDEPEND="~app-emulation/docker-runc-1.1.12
 	sys-libs/libseccomp"
 
 S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
index 522ba8235b..ccb4b989a6 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
@@ -1 +1 @@
-DIST docker-runc-1.1.4.tar.gz 2337285 BLAKE2B b82beac54eb07cf0a657af910201fcff05579d7311bef9d07df1fc8b60fac2b9560b250366193f0f84319ced66bc3f1a1af1bb8a57233187e7ef77a7799b55e7 SHA512 c6665265369af843550181fe44217d0e4f5c3b019c47359bfe9db94dcbd1866c05756b09adea905437bbff8bcfd2b6b02185ca4e7f1d62ed3bf177118308e41a
+DIST docker-runc-1.1.12.tar.gz 2525814 BLAKE2B 55965eda3f145a8f17e483e5f7d73cc8b6e17df5c501d9b9fd6796d6154acb069d30893f7d040da6c190811affe92e257790a270fc331662c0d2735872362141 SHA512 12da3fb0a26a1f6e5dca233614a544fae9d73a01751a9bf5f5c0a8247832c7159395213d613a3f680aa6462f661e890b507e26e36949117200c39446878bbaa1
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.4.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.12.ebuild
similarity index 94%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.4.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.12.ebuild
index 92254a06ea..de0d955854 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.4.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.12.ebuild
@@ -8,7 +8,7 @@ COREOS_GO_PACKAGE="${GITHUB_URI}"
 COREOS_GO_VERSION="go1.18"
 # the commit of runc that docker uses.
 # see https://github.com/docker/docker-ce/blob/v19.03.15/components/engine/hack/dockerfile/install/runc.installer#L4
-COMMIT_ID="81a44cf162f4409cc6ff656e2433b87321bf8a7a"
+COMMIT_ID="51d5e94601ceffbbd85688df1c928ecccbfa4685"
 
 inherit eutils flag-o-matic coreos-go vcs-snapshot
 
@@ -55,7 +55,7 @@ src_compile() {
 	)
 
 	GOPATH="${WORKDIR}/${P}" emake BUILDTAGS="${options[*]}" \
-		VERSION=1.1.4+dev.docker-20.10 \
+		VERSION=1.1.12+dev.docker-20.10 \
 		COMMIT="${COMMIT_ID}"
 }
 
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch
index dba875395f..2edf978c44 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch
@@ -1,4 +1,4 @@
-From ab3a3b89d712bb1c6ca2e09ffc375f4b837e9401 Mon Sep 17 00:00:00 2001
+From 2b89252c4605acb2376c004d3b7096d362eeaa7c Mon Sep 17 00:00:00 2001
 From: Mrunal Patel <mrunalp@gmail.com>
 Date: Thu, 2 Feb 2017 11:23:26 -0800
 Subject: [PATCH] Delay unshare of CLONE_NEWIPC for SELinux
@@ -10,37 +10,37 @@ to mqueue.
 
 Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
 ---
- libcontainer/nsenter/nsexec.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
+ libcontainer/nsenter/nsexec.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
 
 diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
-index 0ad68834..5100698a 100644
+index 2d224bab..800cb0dc 100644
 --- a/libcontainer/nsenter/nsexec.c
 +++ b/libcontainer/nsenter/nsexec.c
-@@ -719,7 +719,12 @@ void nsexec(void)
+@@ -1241,7 +1241,11 @@ void nsexec(void)
  			 * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
  			 * was broken, so we'll just do it the long way anyway.
  			 */
- 			write_log(DEBUG, "unshare remaining namespace (except cgroupns)");
--			if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
+-			try_unshare(config.cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
 +			uint32_t apply_cloneflags = config.cloneflags;
 +			if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
 +				apply_cloneflags &= ~CLONE_NEWIPC;
 +			}
-+
-+			if (unshare(apply_cloneflags & ~CLONE_NEWCGROUP) < 0)
- 				bail("failed to unshare remaining namespaces (except cgroupns)");
++			try_unshare(apply_cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
  
- 			/*
-@@ -841,6 +846,11 @@ void nsexec(void)
+ 			/* Ask our parent to send the mount sources fds. */
+ 			if (config.mountsources) {
+@@ -1358,6 +1362,10 @@ void nsexec(void)
  					bail("setgroups failed");
  			}
  
 +			if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
-+				if (unshare(CLONE_NEWIPC) < 0)
-+					bail("unshare ipc failed");
++				try_unshare(CLONE_NEWIPC, "ipc namespace");
 +			}
 +
- 			/*
- 			 * Wait until our topmost parent has finished cgroup setup in
- 			 * p.manager.Apply().
+ 			if (config.cloneflags & CLONE_NEWCGROUP) {
+ 				try_unshare(CLONE_NEWCGROUP, "cgroup namespace");
+ 			}
+-- 
+2.34.1
+
diff --git a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild
index ed38a5bc7c..27e910aef9 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild
@@ -15,7 +15,7 @@ RDEPEND="
 	~app-emulation/docker-cli-20.10.23
 	~app-emulation/containerd-1.6.16
 	~app-emulation/docker-proxy-0.8.0_p20210525
-	~app-emulation/docker-runc-1.1.4
+	~app-emulation/docker-runc-1.1.12
 	=dev-libs/libltdl-2.4.7
 	~sys-process/tini-0.19.0
 "