diff --git a/patch/0039-runc-fix-CVE-2024-3154.patch b/patch/0039-runc-fix-CVE-2024-3154.patch
new file mode 100644
index 0000000000000000000000000000000000000000..648898fb5ce108908ab755a3c5a2aad1293857da
--- /dev/null
+++ b/patch/0039-runc-fix-CVE-2024-3154.patch
@@ -0,0 +1,42 @@
+From eefc6ae2544a6819da9f92c5aa8e65d356da4c96 Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Sat, 9 Mar 2024 21:30:56 +0900
+Subject: [PATCH] features: implement returning
+ potentiallyUnsafeConfigAnnotations list
+
+See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+---
+ docs/spec-conformance.md | 1 -
+ features.go              | 5 +++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/docs/spec-conformance.md b/docs/spec-conformance.md
+index 91c12aea8ac..b4f3b9df660 100644
+--- a/docs/spec-conformance.md
++++ b/docs/spec-conformance.md
+@@ -9,7 +9,6 @@ Spec version | Feature                                        | PR
+ -------------|------------------------------------------------|----------------------------------------------------------
+ v1.1.0       | `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV`       | [#3862](https://github.com/opencontainers/runc/pull/3862)
+ v1.1.0       | `.process.ioPriority`                          | [#3783](https://github.com/opencontainers/runc/pull/3783)
+-v1.2.0       | Features: `potentiallyUnsafeConfigAnnotations` | TODO
+ 
+ ## Architectures
+ 
+diff --git a/features.go b/features.go
+index 81cd149ac73..eff04c1b2d2 100644
+--- a/features.go
++++ b/features.go
+@@ -64,6 +64,11 @@ var featuresCommand = cli.Command{
+ 					},
+ 				},
+ 			},
++			PotentiallyUnsafeConfigAnnotations: []string{
++				"bundle",
++				"org.systemd.property.", // prefix form
++				"org.criu.config",
++			},
+ 		}
+ 
+ 		if seccomp.Enabled {
diff --git a/runc.spec b/runc.spec
index e7407f3da2774ed13d81e5d7fb612cf7cf704acb..cde7f44a1584321ba06c133dfe2ec72d9b6684dd 100644
--- a/runc.spec
+++ b/runc.spec
@@ -3,7 +3,7 @@
 
 Name: runc
 Version: 1.1.8
-Release: 14
+Release: 15
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -57,6 +57,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Thu May 09 2024 zhaosai<zhaosaisai@kylinos.cn> - 1.1.8-15
+- Type:cves
+- CVE:CVE-2024-3154
+- SUG:NA
+- DESC:fix CVE-2024-3154
+
 * Wed Apr 17 2024 Huang Yang <huangyang@loongson.cn> - 1.1.8-14
 - Type:bugfix
 - CVE:NA