diff --git a/CHANGELOG.md b/CHANGELOG.md
index ffdc9ae2fb5..4022df0144d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+> **NOTE**: runc currently will not work properly when compiled with Go 1.22 or
+> newer. This is due to a glibc bug combined with Go 1.22 explicitly checking
+> if glibc is in a broken state. [See this issue for more
+> information.][runc-4233].
+
 ### Deprecated
 
  * `runc` option `--criu` is now ignored (with a warning), and the option will
@@ -47,6 +52,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  * Remove tun/tap from the default device rules. (#3468)
  * specconv: avoid mapping "acl" to MS_POSIXACL. (#3739)
 
+[runc-4233]: https://github.com/opencontainers/runc/issues/4233
+
 ## [1.1.8] - 2023-07-20
 
 > 海纳百川 有容乃大
diff --git a/libcontainer/nsenter/nsenter_go122.go b/libcontainer/nsenter/nsenter_go122.go
new file mode 100644
index 00000000000..84f88dd3e70
--- /dev/null
+++ b/libcontainer/nsenter/nsenter_go122.go
@@ -0,0 +1,14 @@
+//go:build go1.22
+
+package nsenter
+
+/*
+// We know for sure that glibc has issues with pthread_self() when called from
+// Go after nsenter has run. This is likely a more general problem with how we
+// ignore the rules in signal-safety(7), and so it's possible musl will also
+// have issues, but as this is just a hotfix let's only block glibc builds.
+#ifdef __GLIBC__
+#  error "runc does not currently work properly with Go >=1.22. See <https://github.com/opencontainers/runc/issues/4233>."
+#endif
+*/
+import "C"