Bump opencontainers/runc to v1.4.3

[k0s-bot]

This PR contains the following updates:

Package	Update	Change
opencontainers/runc	patch	1.4.2 → 1.4.3

---

Release Notes

opencontainers/runc (opencontainers/runc)

v1.4.3

Compare Source

The best way to irritate him is to feed his grandmother to the Ravenous
Bugblatter Beast of Traal.

Security

This release includes a fix for the following low-severity security issue:

• CVE-2026-41579 allowed a malicious image with a /dev symlink to have
  limited write access to the host filesystem in ways that our analysis
  indicates was too limited to be problematic in practice. This bug was very
  similar to those fixed in [CVE-2025-31133][], [CVE-2025-52565][],
  [CVE-2025-31133][] and was simply missed at the time when we hardened the
  rootfs preparation code. We have conducted a deeper audit and not found any
  other problematic cases.

Fixed

• Various integration test improvements. (#​5222, #​5237, #​5226, #​5229, #​5239,
  #​5249, #​5269, #​5287, #​5295, #​5304)

Changed

• When masking directories with maskPaths, runc will now reuse a single
  tmpfs instance (which is not writable) to reduce the number tmpfs
  superblocks that need to be reaped when containers die (in particular,
  Kubernetes applies masks to per-CPU sysfs directories which get expensive
  quickly). (#​5275, #​5281)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[k0s-bot]

Successfully created backport PR for release-1.36:

• [Backport release-1.36] Bump opencontainers/runc to v1.4.3 #7799