This is the first release of the 1.4.z release branch of runc. It
contains a few fixes for issues found in 1.4.0-rc.3. This version of
runc supports runtime-spec v1.3 (seedocs/spec-conformance.md for the
few features that are still missing).

This is the second release of runc following our new release and support
policy (seeRELEASES.md for more details). This means that, as of this
release:

• The runc 1.2.z release branch will now only receivehigh severity
  CVE fixes, and will no longer be supported in less than 6 months (end
  of April 2026).
• The runc 1.3.z release branch will now only receive security and
  "significant" bugfixes.
• Users are encouraged to plan migrating to runc 1.4.0 as soon as
  possible.
• Despite this release being delayed by a month, users should still
  expect a runc 1.5.0 release in late April 2026.

Deprecated

• Deprecate cgroup v1. (#4956)
• DeprecateCleanPath,StripRoot,WithProcfd, andWithProcfdFile from
  libcontainer/utils. (#4985)

Breaking

• The handling ofpids.limit has been updated to match the newer guidance
  from the OCI runtime specification. In particular, now a maximum limit value
  of0 will be treated as an actual limit (due to limitations with systemd,
  it will be treated the same as a limit value of1). We only expect users
  that explicitly setpids.limit to0 will see a behaviour change.
  (opencontainers/cgroups#48,#4949)

Fixed

• cgroups: provide iocost statistics for cgroupv2. (opencontainers/cgroups#43)
• cgroups: retry DBus connection when it fails with EAGAIN.
  (opencontainers/cgroups#45)
• cgroups: improvecpuacct.usage_all resilience when parsing data from
  patched kernels (such as the Tencent kernels). (opencontainers/cgroups#46,
  opencontainers/cgroups#50)
• libct: close child fds onprepareCgroupFD error. (#4936)
• libct: fix mips compilation. (#4962,#4967)
• When configuring atmpfs mount, only set themode= argument if the target
  path already existed. This fixes a regression introduced in our
  CVE-2025-52881 mitigation patches. (#4971,#4976)
• Fix various file descriptor leaks and add additional tests to detect them as
  comprehensively as possible. (#5007,#5021,#5034)
• The "hallucination" helpers added as part of theCVE-2025-52881
  mitigation have been made more generic and now apply to all of ourpathrs
  helper functions, which should ensure we will not regress dangling symlink
  users. (#4985)

Changed

• libct: switch to(*CPUSet).Fill. (#4927)
• docs/spec-conformance.md: update for spec v1.3.0. (#4948)

Static Linking Notices

Therunc binary distributed with this release arestatically linked with
the followingGNU LGPL-2.1 licensed libraries, withrunc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Akihiro Sudaakihiro.suda.cz@hco.ntt.co.jp
• Aleksa Saraicyphar@cyphar.com
• Kir Kolyshkinkolyshkin@gmail.com
• Li Fu Banglifubang@acmcoder.com
• Rodrigo Camposrata@users.noreply.github.com
• Tianon Graviadmwiggin@gmail.com