diff --git a/vendor/github.com/coreos/go-systemd/v22/activation/files_unix.go b/internal/third_party/systemd/activation/files_unix.go
similarity index 76%
rename from vendor/github.com/coreos/go-systemd/v22/activation/files_unix.go
rename to internal/third_party/systemd/activation/files_unix.go
index 7031f281a07..a1d9ebddf29 100644
--- a/vendor/github.com/coreos/go-systemd/v22/activation/files_unix.go
+++ b/internal/third_party/systemd/activation/files_unix.go
@@ -15,6 +15,10 @@
 //go:build !windows
 
 // Package activation implements primitives for systemd socket activation.
+//
+// It is a partial copy of https://github.com/coreos/go-systemd/v22/activation
+// (https://github.com/coreos/go-systemd/blob/ce60782c0aabb616faa8e60f91e639d91f631e99/activation/files_unix.go),
+// to avoid bringing in crypto/tls dependency.
 package activation
 
 import (
@@ -29,29 +33,18 @@ const (
 	listenFdsStart = 3
 )
 
-// Files returns a slice containing a `os.File` object for each
+// Files returns a slice containing a os.File object for each
 // file descriptor passed to this process via systemd fd-passing protocol.
 //
 // The order of the file descriptors is preserved in the returned slice.
-// `unsetEnv` is typically set to `true` in order to avoid clashes in
-// fd usage and to avoid leaking environment flags to child processes.
-func Files(unsetEnv bool) []*os.File {
-	if unsetEnv {
-		defer func() {
-			// Unsetenv implementation for unix never returns an error.
-			_ = os.Unsetenv("LISTEN_PID")
-			_ = os.Unsetenv("LISTEN_FDS")
-			_ = os.Unsetenv("LISTEN_FDNAMES")
-		}()
-	}
-
+func Files() []*os.File {
 	pid, err := strconv.Atoi(os.Getenv("LISTEN_PID"))
 	if err != nil || pid != os.Getpid() {
 		return nil
 	}
 
 	nfds, err := strconv.Atoi(os.Getenv("LISTEN_FDS"))
-	if err != nil || nfds == 0 {
+	if err != nil || nfds <= 0 {
 		return nil
 	}
 
diff --git a/utils_linux.go b/utils_linux.go
index 6195a589851..d7f51e20216 100644
--- a/utils_linux.go
+++ b/utils_linux.go
@@ -9,7 +9,6 @@ import (
 	"path/filepath"
 	"strconv"
 
-	"github.com/coreos/go-systemd/v22/activation"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
@@ -17,6 +16,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	"github.com/opencontainers/runc/internal/pathrs"
+	"github.com/opencontainers/runc/internal/third_party/systemd/activation"
 	"github.com/opencontainers/runc/libcontainer"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/specconv"
@@ -399,17 +399,11 @@ func startContainer(context *cli.Context, action CtAct, criuOpts *libcontainer.C
 		}
 	}
 
-	// Support on-demand socket activation by passing file descriptors into the container init process.
-	listenFDs := []*os.File{}
-	if os.Getenv("LISTEN_FDS") != "" {
-		listenFDs = activation.Files(false)
-	}
-
 	r := &runner{
 		enableSubreaper: !context.Bool("no-subreaper"),
 		shouldDestroy:   !context.Bool("keep"),
 		container:       container,
-		listenFDs:       listenFDs,
+		listenFDs:       activation.Files(), // On-demand socket activation.
 		notifySocket:    notifySocket,
 		consoleSocket:   context.String("console-socket"),
 		pidfdSocket:     context.String("pidfd-socket"),
diff --git a/vendor/github.com/coreos/go-systemd/v22/activation/files_windows.go b/vendor/github.com/coreos/go-systemd/v22/activation/files_windows.go
deleted file mode 100644
index d391bf00c5e..00000000000
--- a/vendor/github.com/coreos/go-systemd/v22/activation/files_windows.go
+++ /dev/null
@@ -1,21 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package activation
-
-import "os"
-
-func Files(unsetEnv bool) []*os.File {
-	return nil
-}
diff --git a/vendor/github.com/coreos/go-systemd/v22/activation/listeners.go b/vendor/github.com/coreos/go-systemd/v22/activation/listeners.go
deleted file mode 100644
index 3dbe2b08776..00000000000
--- a/vendor/github.com/coreos/go-systemd/v22/activation/listeners.go
+++ /dev/null
@@ -1,103 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package activation
-
-import (
-	"crypto/tls"
-	"net"
-)
-
-// Listeners returns a slice containing a net.Listener for each matching socket type
-// passed to this process.
-//
-// The order of the file descriptors is preserved in the returned slice.
-// Nil values are used to fill any gaps. For example if systemd were to return file descriptors
-// corresponding with "udp, tcp, tcp", then the slice would contain {nil, net.Listener, net.Listener}
-func Listeners() ([]net.Listener, error) {
-	files := Files(true)
-	listeners := make([]net.Listener, len(files))
-
-	for i, f := range files {
-		if pc, err := net.FileListener(f); err == nil {
-			listeners[i] = pc
-			f.Close()
-		}
-	}
-	return listeners, nil
-}
-
-// ListenersWithNames maps a listener name to a set of net.Listener instances.
-func ListenersWithNames() (map[string][]net.Listener, error) {
-	files := Files(true)
-	listeners := map[string][]net.Listener{}
-
-	for _, f := range files {
-		if pc, err := net.FileListener(f); err == nil {
-			current, ok := listeners[f.Name()]
-			if !ok {
-				listeners[f.Name()] = []net.Listener{pc}
-			} else {
-				listeners[f.Name()] = append(current, pc)
-			}
-			f.Close()
-		}
-	}
-	return listeners, nil
-}
-
-// TLSListeners returns a slice containing a net.listener for each matching TCP socket type
-// passed to this process.
-// It uses default Listeners func and forces TCP sockets handlers to use TLS based on tlsConfig.
-func TLSListeners(tlsConfig *tls.Config) ([]net.Listener, error) {
-	listeners, err := Listeners()
-
-	if listeners == nil || err != nil {
-		return nil, err
-	}
-
-	if tlsConfig != nil {
-		for i, l := range listeners {
-			// Activate TLS only for TCP sockets
-			if l.Addr().Network() == "tcp" {
-				listeners[i] = tls.NewListener(l, tlsConfig)
-			}
-		}
-	}
-
-	return listeners, err
-}
-
-// TLSListenersWithNames maps a listener name to a net.Listener with
-// the associated TLS configuration.
-func TLSListenersWithNames(tlsConfig *tls.Config) (map[string][]net.Listener, error) {
-	listeners, err := ListenersWithNames()
-
-	if listeners == nil || err != nil {
-		return nil, err
-	}
-
-	if tlsConfig != nil {
-		for _, ll := range listeners {
-			// Activate TLS only for TCP sockets
-			for i, l := range ll {
-				if l.Addr().Network() == "tcp" {
-					ll[i] = tls.NewListener(l, tlsConfig)
-				}
-			}
-		}
-	}
-
-	return listeners, err
-}
diff --git a/vendor/github.com/coreos/go-systemd/v22/activation/packetconns.go b/vendor/github.com/coreos/go-systemd/v22/activation/packetconns.go
deleted file mode 100644
index a97206785a4..00000000000
--- a/vendor/github.com/coreos/go-systemd/v22/activation/packetconns.go
+++ /dev/null
@@ -1,38 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package activation
-
-import (
-	"net"
-)
-
-// PacketConns returns a slice containing a net.PacketConn for each matching socket type
-// passed to this process.
-//
-// The order of the file descriptors is preserved in the returned slice.
-// Nil values are used to fill any gaps. For example if systemd were to return file descriptors
-// corresponding with "udp, tcp, udp", then the slice would contain {net.PacketConn, nil, net.PacketConn}
-func PacketConns() ([]net.PacketConn, error) {
-	files := Files(true)
-	conns := make([]net.PacketConn, len(files))
-
-	for i, f := range files {
-		if pc, err := net.FilePacketConn(f); err == nil {
-			conns[i] = pc
-			f.Close()
-		}
-	}
-	return conns, nil
-}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 66eae80f57c..1824f87bf52 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -28,7 +28,6 @@ github.com/cilium/ebpf/link
 github.com/containerd/console
 # github.com/coreos/go-systemd/v22 v22.6.0
 ## explicit; go 1.23
-github.com/coreos/go-systemd/v22/activation
 github.com/coreos/go-systemd/v22/dbus
 # github.com/cpuguy83/go-md2man/v2 v2.0.7
 ## explicit; go 1.12