diff --git a/CHANGELOG.md b/CHANGELOG.md
index 70456291713..00be0281ef2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased 1.1.z]
 
+> **NOTE**: runc currently will not work properly when compiled with Go 1.22 or
+> newer. This is due to some unfortunate glibc behaviour that Go 1.22
+> exacerbates in a way that results in containers not being able to start on
+> some systems. [See this issue for more information.][runc-4233].
+
+[runc-4233]: https://github.com/opencontainers/runc/issues/4233
+
 ## [1.1.12] - 2024-01-31
 
 > Now you're thinking with Portals™!
diff --git a/libcontainer/nsenter/nsenter_go122.go b/libcontainer/nsenter/nsenter_go122.go
new file mode 100644
index 00000000000..2b9ece0ad29
--- /dev/null
+++ b/libcontainer/nsenter/nsenter_go122.go
@@ -0,0 +1,15 @@
+//go:build go1.22
+
+package nsenter
+
+/*
+// We know for sure that glibc has issues with pthread_self() when called from
+// Go after nsenter has run. This is likely a more general problem with how we
+// ignore the rules in signal-safety(7), and so it's possible musl will also
+// have issues, but as this is just a hotfix let's only block glibc builds.
+#include <features.h>
+#ifdef __GLIBC__
+#  error "runc does not currently work properly with Go >=1.22. See <https://github.com/opencontainers/runc/issues/4233>."
+#endif
+*/
+import "C"