diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 1632cce06d7..4c56582ff1a 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -2195,6 +2195,9 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
 		var mounts []byte
 		for _, m := range c.config.Mounts {
 			if m.IsBind() {
+				if strings.IndexByte(m.Source, 0) >= 0 {
+					return nil, fmt.Errorf("mount source string contains null byte: %q", m.Source)
+				}
 				mounts = append(mounts, []byte(m.Source)...)
 			}
 			mounts = append(mounts, byte(0))
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 9e39a70bede..cf54cf3dd5a 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -407,6 +407,18 @@ func createLibcontainerMount(cwd string, m specs.Mount) (*configs.Mount, error)
 			mnt.Source = filepath.Join(cwd, m.Source)
 		}
 	}
+
+	// None of the mount arguments can contain a null byte. Normally such
+	// strings would either cause some other failure or would just be truncated
+	// when we hit the null byte, but because we serialise these strings as
+	// netlink messages (which don't have special null-byte handling) we need
+	// to block this as early as possible.
+	if strings.IndexByte(mnt.Source, 0) >= 0 ||
+		strings.IndexByte(mnt.Destination, 0) >= 0 ||
+		strings.IndexByte(mnt.Device, 0) >= 0 {
+		return nil, errors.New("mount field contains null byte")
+	}
+
 	return mnt, nil
 }