app-emulation/runc-1.0.1 has medium severity CVE:
https://nvd.nist.gov/vuln/detail/CVE-2021-43784

<REDACTED>

This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.

found using https://github.com/mrl5/vulner

example packages that depend on runc:

$ equery depends runc

app-emulation/containerd-1.5.5 (~app-emulation/runc-1.0.1)