diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index bd89b253d5a..7e1298c4d16 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -223,6 +223,12 @@ func containerInit(t initType, config *initConfig, pipe *syncSocket, consoleSock
 		return err
 	}
 
+	// Clean the RLIMIT_NOFILE cache in go runtime.
+	// Issue: https://github.com/opencontainers/runc/issues/4195
+	if containsRlimit(config.Rlimits, unix.RLIMIT_NOFILE) {
+		system.ClearRlimitNofileCache()
+	}
+
 	switch t {
 	case initSetns:
 		i := &linuxSetnsInit{
@@ -649,6 +655,15 @@ func setupRoute(config *configs.Config) error {
 	return nil
 }
 
+func containsRlimit(limits []configs.Rlimit, resource int) bool {
+	for _, rlimit := range limits {
+		if rlimit.Type == resource {
+			return true
+		}
+	}
+	return false
+}
+
 func setupRlimits(limits []configs.Rlimit, pid int) error {
 	for _, rlimit := range limits {
 		if err := unix.Prlimit(pid, rlimit.Type, &unix.Rlimit{Max: rlimit.Hard, Cur: rlimit.Soft}, nil); err != nil {
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
index 18745d658c8..de3a15f6e2f 100644
--- a/libcontainer/setns_init_linux.go
+++ b/libcontainer/setns_init_linux.go
@@ -49,6 +49,7 @@ func (l *linuxSetnsInit) Init() error {
 			}
 		}
 	}
+
 	if l.config.CreateConsole {
 		if err := setupConsole(l.consoleSocket, l.config, false); err != nil {
 			return err
diff --git a/libcontainer/system/linux.go b/libcontainer/system/linux.go
index 368364baf04..5e24d44e112 100644
--- a/libcontainer/system/linux.go
+++ b/libcontainer/system/linux.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"strconv"
+	"sync/atomic"
 	"syscall"
 	"unsafe"
 
@@ -15,6 +16,20 @@ import (
 	"golang.org/x/sys/unix"
 )
 
+//go:linkname syscallOrigRlimitNofile syscall.origRlimitNofile
+var syscallOrigRlimitNofile atomic.Pointer[syscall.Rlimit]
+
+// As reported in issue #4195, the new version of go runtime(since 1.19)
+// will cache rlimit-nofile. Before executing execve, the rlimit-nofile
+// of the process will be restored with the cache. In runc, this will
+// cause the rlimit-nofile setting by the parent process for the container
+// to become invalid. It can be solved by clearing this cache. But
+// unfortunately, go stdlib doesn't provide such function, so we need to
+// link to the private var `origRlimitNofile` in package syscall to hack.
+func ClearRlimitNofileCache() {
+	syscallOrigRlimitNofile.Store(nil)
+}
+
 type ParentDeathSignal int
 
 func (p ParentDeathSignal) Restore() error {