diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r9.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r10.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r9.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r10.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild
index edd06be950..297549bd82 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild
@@ -8,7 +8,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="12d43a8e71293567f10d940465113550188a4ce8" # flatcar-master
+	CROS_WORKON_COMMIT="c6f566d47d8949632f7f43871eb8d5c625af3209" # flatcar-master
 	KEYWORDS="amd64 arm64"
 fi
 
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/0001-Fix-link-creation.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/0001-Fix-link-creation.patch
deleted file mode 100644
index b8e031ed44..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/0001-Fix-link-creation.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 67176ea3ab5eccd004ca9cacef103d1f0636828a Mon Sep 17 00:00:00 2001
-From: Krzesimir Nowak <knowak@microsoft.com>
-Date: Mon, 16 Jan 2023 10:26:24 +0100
-Subject: [PATCH] "Fix" link creation
-
-It's not a proper fix as it stands, because it would try to create a
-hardlink at $(DESTDIR)$(BINDIR)/uncompress using compress from a
-current working directory (so this may work only by chance if compress
-actually exists there), but app-arch/ncompress is also patching
-Makefile.def to use symbolic links. So those two hacks together should
-do the trick by creating a symbolic link at
-$(DESTDIR)$(BINDIR)/uncompress pointing to compress in the same
-directory, instead of creating a dangling symlink.
----
- Makefile.def | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/Makefile.def b/Makefile.def
-index 94c9719..0fafc7a 100644
---- a/Makefile.def
-+++ b/Makefile.def
-@@ -44,14 +44,14 @@ install_core:	compress
- 		mkdir -p $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR)
- 		cp compress $(DESTDIR)$(BINDIR)/compress
- 		rm -f $(DESTDIR)$(BINDIR)/uncompress
--		ln $(DESTDIR)$(BINDIR)/compress $(DESTDIR)$(BINDIR)/uncompress
-+		ln compress $(DESTDIR)$(BINDIR)/uncompress
- 		cp compress.1 uncompress.1 $(DESTDIR)$(MANDIR)/.
- 		chmod 0644 $(DESTDIR)$(MANDIR)/compress.1 $(DESTDIR)$(MANDIR)/uncompress.1
- 
- install_extra: install_core
- 		mkdir -p $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR)
- 		rm -f $(DESTDIR)$(BINDIR)/zcat
--		ln -f $(DESTDIR)$(BINDIR)/compress $(DESTDIR)$(BINDIR)/zcat
-+		ln -f compress $(DESTDIR)$(BINDIR)/zcat
- 		cp zcmp zdiff zmore $(DESTDIR)$(BINDIR)/.
- 		chmod 0755 $(DESTDIR)$(BINDIR)/compress $(DESTDIR)$(BINDIR)/zcmp $(DESTDIR)$(BINDIR)/zdiff $(DESTDIR)$(BINDIR)/zmore
- 		cp zcmp.1 zmore.1 $(DESTDIR)$(MANDIR)/.
--- 
-2.25.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/README.md
deleted file mode 100644
index e8c9c61244..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-Drop `0001-Fix-link-creation.patch` when we have ncompress 5.0-r1 or greater.
-
-See https://github.com/gentoo/gentoo/pull/29131.
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/0001-constexpr.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/0001-constexpr.patch
new file mode 100644
index 0000000000..938b3d6ace
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/0001-constexpr.patch
@@ -0,0 +1,14 @@
+The constexpr keyword is missing for a function that was invoked from
+another constexpr function. Add the missing keyword.
+
+--- a/libstdc++-v3/src/c++17/memory_resource.cc	2022-12-09 22:33:43.000000000 -0000
++++ b/libstdc++-v3/src/c++17/memory_resource.cc	2023-01-25 13:14:24.025359063 -0000
+@@ -603,7 +603,7 @@
+     void* pointer = nullptr;
+     aligned_size<min> _M_size;
+ 
+-    size_t size() const noexcept
++    constexpr size_t size() const noexcept
+     {
+       if (_M_size.value == size_t(-1)) [[unlikely]]
+ 	return size_t(-1);
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/README.md
new file mode 100644
index 0000000000..9a331e1e86
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-devel/gcc/README.md
@@ -0,0 +1,6 @@
+Drop `0001-constexpr.patch` when not applicable any more. It's a weird
+issue, because building the same version of the compiler worked fine
+before. Maybe some patch from gcc patches is at fault here. Didn't
+investigate in hope that the issue is ephemeral. Some newer version of
+gcc is already marked as stable for both amd64 and arm64 in Gentoo, so
+this patch will most likely be dropped next week.
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
index b94165b00f..9c9902f00b 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
@@ -13,10 +13,7 @@
 =dev-lang/yasm-1.3.0-r1 ~arm64
 
 # needed to force enable bpftool for arm64
-=dev-util/bpftool-5.19.8 **
-
-# needed to address CVE-2022-23521, CVE-2022-41903
-=dev-vcs/git-2.38.3 ~arm64
+=dev-util/bpftool-5.19.12 **
 
 =net-dns/c-ares-1.17.2 ~arm64
 =net-firewall/conntrack-tools-1.4.6-r1 ~arm64
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index ac519872ef..23a712da51 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -2,8 +2,18 @@
 # Copyright (c) 2013 The CoreOS Authors. All rights reserved.
 # Distributed under the terms of the GNU General Public License v2
 
+# Necessary for the symlink fix for uncompress utility.
+=app-arch/ncompress-5.0-r1 ~amd64 ~arm64
+
 =app-arch/zstd-1.4.9 ~amd64 ~arm64
 
+# Necessary to fix CVE-2023-0049, CVE-2023-0051 and CVE-2023-0054.
+=app-editors/vim-9.0.1157 ~amd64 ~arm64
+=app-editors/vim-core-9.0.1157 ~amd64 ~arm64
+
+# Keep the version of qemu the same on all arches.
+=app-emulation/qemu-7.2.0 ~arm64
+
 =coreos-devel/fero-client-0.1.1 **
 
 # Accept unstable host Rust compilers
@@ -12,8 +22,15 @@
 
 =dev-libs/libgcrypt-1.9.4 ~amd64 ~arm64
 
+# Keep the version of bind-tools the same on all arches.
+=net-dns/bind-tools-9.16.36 ~arm64
+
 # Required for addressing CVE-2022-29154
-=net-misc/rsync-3.2.7-r1 ~amd64 ~arm64
+=net-misc/rsync-3.2.7-r2 ~amd64 ~arm64
+
+# Keep the version of curl the same on all arches.
+# Also needed for CVE-2022-43551 and CVE-2022-43552.
+=net-misc/curl-7.87.0-r2 ~arm64
 
 =sys-fs/cryptsetup-2.4.1-r1 ~amd64 ~arm64
 
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
index 7d04948e69..68d088c019 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
@@ -21,3 +21,8 @@
 # Python 3.10 is stable in portage-stable, so avoid picking it
 # up. Drop this when we switch to it.
 >=dev-lang/python-3.10
+
+# sys-devel/gcc-11.3.1_p20221209 is the latest gcc version that is
+# stable on both amd64 and arm64. There are newer versions of gcc
+# which are stable only on one of them, so mask them.
+>sys-devel/gcc-11.3.1_p20221209
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index 96834a54f5..736735cf52 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -9,7 +9,7 @@ dev-libs/dbus-glib	tools
 dev-libs/libxml2	-python
 dev-libs/libxslt	-python
 dev-util/perf		-doc
-dev-vcs/git		webdav curl bash-completion
+dev-vcs/git		webdav curl
 net-misc/curl		kerberos telnet
 net-misc/iputils	arping tracepath
 sys-devel/gettext	-git