diff --git a/git-commit b/git-commit
index 7b3c36d839d58042b2914d46381eeec23053a591..7079ed03db5a8c5f9ce8adec54371ecd295799a8 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-3af9b6470b9bdac1d1e6e881e8f89963b6965519
+984c9ee928178d7acf6356005aeed57fca9c4c52
diff --git a/patch/0053-runc-fix-CVE-2024-3154.patch b/patch/0053-runc-fix-CVE-2024-3154.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5ece86739d960120809b7ca3defe59ef5badeaa3
--- /dev/null
+++ b/patch/0053-runc-fix-CVE-2024-3154.patch
@@ -0,0 +1,50 @@
+From eefc6ae2544a6819da9f92c5aa8e65d356da4c96 Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Sat, 9 Mar 2024 21:30:56 +0900
+Subject: [PATCH] features: implement returning
+ potentiallyUnsafeConfigAnnotations list
+
+See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+---
+ features.go                | 5 +++++
+ types/features/features.go | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/features.go b/features.go
+index c9cd15c..7f76e7a 100644
+--- a/features.go
++++ b/features.go
+@@ -55,6 +55,11 @@ var featuresCommand = cli.Command{
+ 					Enabled: &tru,
+ 				},
+ 			},
++			PotentiallyUnsafeConfigAnnotations: []string{
++				"bundle",
++				"org.systemd.property.", // prefix form
++				"org.criu.config",
++			},
+ 		}
+ 
+ 		if seccomp.Enabled {
+diff --git a/types/features/features.go b/types/features/features.go
+index c6269ca..8b467f7 100644
+--- a/types/features/features.go
++++ b/types/features/features.go
+@@ -25,6 +25,12 @@ type Features struct {
+ 	// Annotations contains implementation-specific annotation strings,
+ 	// such as the implementation version, and third-party extensions.
+ 	Annotations map[string]string `json:"annotations,omitempty"`
++
++	// PotentiallyUnsafeConfigAnnotations the list of the potential unsafe annotations
++	// that may appear in `config.json`.
++	//
++	// A value that ends with "." is interpreted as a prefix of annotations.
++	PotentiallyUnsafeConfigAnnotations []string `json:"potentiallyUnsafeConfigAnnotations,omitempty"`
+ }
+ 
+ // Linux is specific to Linux.
+-- 
+2.33.0
+
diff --git a/runc.spec b/runc.spec
index ef8614683980a56742d8135ece432230c8b4e87c..e91a6f0280fc78507752e4113a0fbebf19da8789 100644
--- a/runc.spec
+++ b/runc.spec
@@ -3,7 +3,7 @@
 
 Name: docker-runc
 Version: 1.1.3
-Release: 23
+Release: 25
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Fri May 24 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-25
+- Type:CVE
+- CVE:CVE-2024-3154
+- SUG:NA
+- DESC:fix CVE-2024-3154
+
 * Tue Feb 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-24
 - Type:bugfix
 - CVE:NA
diff --git a/series.conf b/series.conf
index 95f4db666fd4fa7d77908a369e5cb14643764b70..c118a09d67f216b5e32af1d0513bf3afc6e64152 100644
--- a/series.conf
+++ b/series.conf
@@ -50,3 +50,4 @@ patch/0049-runc-nsexec-Check-for-errors-in-write_log.patch
 patch/0050-runc-increase-the-number-of-cgroup-deletion-retries.patch
 patch/0051-runc-fix-CVE-2024-21626.patch
 patch/0052-runc-check-cmd-exist.patch
+patch/0053-runc-fix-CVE-2024-3154.patch