diff --git a/Dockerfile b/Dockerfile
index 6acae0759b998..233a56507175f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -154,6 +154,7 @@ RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
 FROM runtime-dev AS runc
 ENV INSTALL_BINARY_NAME=runc
 COPY hack/dockerfile/install/install.sh ./install.sh
+COPY git-bundles /go/src/github.com/docker/docker/git-bundles
 COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
 RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
 
diff --git a/git-bundles/CVE-2019-5736.bundle b/git-bundles/CVE-2019-5736.bundle
new file mode 100644
index 0000000000000..0de9be4fb3f52
Binary files /dev/null and b/git-bundles/CVE-2019-5736.bundle differ
diff --git a/hack/dockerfile/install/runc.installer b/hack/dockerfile/install/runc.installer
index c6d28982f44e2..1ad05ea2f9f47 100755
--- a/hack/dockerfile/install/runc.installer
+++ b/hack/dockerfile/install/runc.installer
@@ -5,6 +5,8 @@
 # version that is used. If you need to update runc, open a pull request in
 # the containerd project first, and update both after that is merged.
 RUNC_COMMIT=96ec2177ae841256168fcf76954f7177af9446eb
+RUNC_OVERRIDE_COMMIT=09c8266bf2fcf9519a651b04ae54c967b9ab86ec
+RUNC_BUNDLE=/go/src/github.com/docker/docker/git-bundles/CVE-2019-5736.bundle
 
 install_runc() {
 	# If using RHEL7 kernels (3.10.0 el7), disable kmem accounting/limiting
@@ -19,12 +21,25 @@ install_runc() {
 	git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc"
 	cd "$GOPATH/src/github.com/opencontainers/runc"
 	git checkout -q "$RUNC_COMMIT"
+
+	if [ -f "$RUNC_BUNDLE" ];then
+		git bundle unbundle "$RUNC_BUNDLE"
+		git checkout -q "$RUNC_OVERRIDE_COMMIT"
+		if [ "$(git rev-parse HEAD)" != "$RUNC_OVERRIDE_COMMIT" ]; then
+			echo "ERROR: Commit with bundle does not match override commit"
+			echo "       $(git rev-parse HEAD) != '$RUNC_OVERRIDE_COMMIT'"
+			exit 1
+		fi
+		RUNC_COMMIT=$RUNC_OVERRIDE_COMMIT
+	fi
+
 	if [ -z "$1" ]; then
 		target=static
 	else
 		target="$1"
 	fi
-	make BUILDTAGS="$RUNC_BUILDTAGS" "$target"
+	OVERRIDE_VERSION="1.0.0-rc6+dev.docker-18.09"
+	make BUILDTAGS="$RUNC_BUILDTAGS" COMMIT="$RUNC_COMMIT" VERSION="$OVERRIDE_VERSION" "$target"
 	mkdir -p ${PREFIX}
 	cp runc ${PREFIX}/runc
 }