build(deps): Bump github.com/opencontainers/runc from 1.4.2 to 1.4.3

[dependabot]

Bumps github.com/opencontainers/runc from 1.4.2 to 1.4.3.

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.4.3] - 2026-06-13

The best way to irritate him is to feed his grandmother to the Ravenous Bugblatter Beast of Traal.

Security

This release includes a fix for the following low-severity security issue:

• CVE-2026-41579 allowed a malicious image with a /dev symlink to have limited write access to the host filesystem in ways that our analysis indicates was too limited to be problematic in practice. This bug was very similar to those fixed in [CVE-2025-31133][], [CVE-2025-52565][], [CVE-2025-31133][] and was simply missed at the time when we hardened the rootfs preparation code. We have conducted a deeper audit and not found any other problematic cases.

Fixed

• Various integration test improvements. (#5222, #5237, #5226, #5229, #5239, #5249, #5269, #5287, #5295, #5304)

Changed

• When masking directories with maskPaths, runc will now re-use a single tmpfs instance (which is not writeable) to reduce the number tmpfs superblocks that need to be reaped when containers die (in particular, Kubernetes applies masks to per-CPU sysfs directories which get expensive quickly). (#5275, #5281)

Commits

• bb14dab VERSION: release v1.4.3
• 31d72bf merge CVE-2026-41579 fixes into release-1.4
• b2b50a4 rootfs: make cgroupv1 subsystem symlinks fd-based
• a7343f8 rootfs: make /dev initialisation code fd-based
• 5f2f6b5 rootfs: switch createDevices argument order
• 6a7de4e Merge pull request #5304 from ricardobranco777/1.4-5295
• a753597 Update busybox:glibc in integration tests to latest (1.38.0) builds
• 3d7f708 Update busybox:glibc in integration tests to latest (1.37.0) builds
• c6454ef tests/int: relax testPids fork error match string
• cae4907 tests/int: build TestPids pipelines programmatically
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.