diff --git a/libcontainer/capabilities/capabilities.go b/libcontainer/capabilities/capabilities.go
index 69884ef992a..5b04ba64f5d 100644
--- a/libcontainer/capabilities/capabilities.go
+++ b/libcontainer/capabilities/capabilities.go
@@ -5,6 +5,7 @@ package capabilities
 import (
 	"sort"
 	"strings"
+	"sync"
 
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/sirupsen/logrus"
@@ -14,24 +15,26 @@ import (
 const allCapabilityTypes = capability.CAPS | capability.BOUNDING | capability.AMBIENT
 
 var (
-	capabilityMap map[string]capability.Cap
-	capTypes      = []capability.CapType{
+	capTypes = []capability.CapType{
 		capability.BOUNDING,
 		capability.PERMITTED,
 		capability.INHERITABLE,
 		capability.EFFECTIVE,
 		capability.AMBIENT,
 	}
+	capMap = sync.OnceValue(initCapMap)
 )
 
-func init() {
-	capabilityMap = make(map[string]capability.Cap, capability.CAP_LAST_CAP+1)
+// Do not call directly, use capMap instead.
+func initCapMap() map[string]capability.Cap {
+	capabilityMap := make(map[string]capability.Cap, capability.CAP_LAST_CAP+1)
 	for _, c := range capability.List() {
 		if c > capability.CAP_LAST_CAP {
 			continue
 		}
 		capabilityMap["CAP_"+strings.ToUpper(c.String())] = c
 	}
+	return capabilityMap
 }
 
 // KnownCapabilities returns the list of the known capabilities.
@@ -78,9 +81,10 @@ func New(capConfig *configs.Capabilities) (*Caps, error) {
 // equivalent, and returns them as a slice. Unknown or unavailable capabilities
 // are not returned, but appended to unknownCaps.
 func capSlice(caps []string, unknownCaps map[string]struct{}) []capability.Cap {
+	cMap := capMap()
 	var out []capability.Cap
 	for _, c := range caps {
-		if v, ok := capabilityMap[c]; !ok {
+		if v, ok := cMap[c]; !ok {
 			unknownCaps[c] = struct{}{}
 		} else {
 			out = append(out, v)