diff --git a/patch/0128-runc-fix-CVE-2022-29162.patch b/patch/0128-runc-fix-CVE-2022-29162.patch
new file mode 100644
index 0000000000000000000000000000000000000000..98182cc42b1e843d84549d5c46ba54b8a01f22bd
--- /dev/null
+++ b/patch/0128-runc-fix-CVE-2022-29162.patch
@@ -0,0 +1,45 @@
+From d940c8e738ce011bbfafdc6ef8af6516f8ee2191 Mon Sep 17 00:00:00 2001
+From: Vanient <xiadanni1@huawei.com>
+Date: Mon, 6 Jun 2022 20:23:46 +0800
+Subject: [PATCH] runc: fix CVE-2022-29162
+
+do not set inheritable capabilities
+upstream:https://github.com/opencontainers/runc/commit/98fe566c527479195ce3c8167136d2a555fe6b65
+
+Signed-off-by: Vanient <xiadanni1@huawei.com>
+---
+ exec.go                          | 1 -
+ libcontainer/specconv/example.go | 5 -----
+ 2 files changed, 6 deletions(-)
+
+diff --git a/exec.go b/exec.go
+index 9ed90ea..5e5ce00 100644
+--- a/exec.go
++++ b/exec.go
+@@ -176,7 +176,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
+ 	if caps := context.StringSlice("cap"); len(caps) > 0 {
+ 		for _, c := range caps {
+ 			p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
+-			p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
+ 			p.Capabilities.Effective = append(p.Capabilities.Effective, c)
+ 			p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
+ 			p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
+diff --git a/libcontainer/specconv/example.go b/libcontainer/specconv/example.go
+index 9a4460c..973ea79 100644
+--- a/libcontainer/specconv/example.go
++++ b/libcontainer/specconv/example.go
+@@ -46,11 +46,6 @@ func Example() *specs.Spec {
+ 					"CAP_KILL",
+ 					"CAP_NET_BIND_SERVICE",
+ 				},
+-				Inheritable: []string{
+-					"CAP_AUDIT_WRITE",
+-					"CAP_KILL",
+-					"CAP_NET_BIND_SERVICE",
+-				},
+ 				Ambient: []string{
+ 					"CAP_AUDIT_WRITE",
+ 					"CAP_KILL",
+-- 
+2.27.0
+
diff --git a/runc-openeuler.spec b/runc-openeuler.spec
index f85bb25ba24396c67a9d4eb366780da007f88148..67ca077312ad2abc8e202e91384abd8b548e9d77 100644
--- a/runc-openeuler.spec
+++ b/runc-openeuler.spec
@@ -4,7 +4,7 @@
 
 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 300
+Release: 301
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -53,6 +53,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Thu Jun 03 2021 xiadanni<xiadanni1@huawei.com> - 1.0.0.rc3-301
+- Type:CVE
+- CVE:CVE-2022-29162
+- SUG:NA
+- DESC:do not set inheritable capabilities
+
 * Tue Jan 26 2022 songyanting <songyanting@huawei.com> - 1.0.0.rc3-300
 - Type:bugfix
 - CVE:NA
diff --git a/series.conf b/series.conf
index 42771a46ce8a9a81c624743ac0c7e50ac5bf39ae..b5d1f52501356d19218110641b7ed97b21081993 100644
--- a/series.conf
+++ b/series.conf
@@ -128,4 +128,5 @@ patch/0127-runc-add-mount-destination-validation-fix-CVE-2021.patch
 patch/0128-runc-optimize-nsexec-logging.patch
 patch/0129-runc-improve-log-for-debugging.patch
 patch/0130-runc-fix-cgroup-info-print-error.patch
+patch/0128-runc-fix-CVE-2022-29162.patch
 #end