diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 38b43e422ca..43bfc293c8e 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -41,7 +41,7 @@ jobs:
           sudo apt -qy install libseccomp-dev
       - uses: golangci/golangci-lint-action@v8
         with:
-          version: v2.4
+          version: v2.5
       # Extra linters, only checking new code from a pull request.
       - name: lint-extra
         if: github.event_name == 'pull_request'
diff --git a/libcontainer/exeseal/cloned_binary_linux.go b/libcontainer/exeseal/cloned_binary_linux.go
index 7e0957fc801..cfe03da46f7 100644
--- a/libcontainer/exeseal/cloned_binary_linux.go
+++ b/libcontainer/exeseal/cloned_binary_linux.go
@@ -125,7 +125,7 @@ func getSealableFile(comment, tmpDir string) (file *os.File, sealFn SealFunc, er
 	// First, try an executable memfd (supported since Linux 3.17).
 	file, sealFn, err = Memfd(comment)
 	if err == nil {
-		return
+		return file, sealFn, err
 	}
 	logrus.Debugf("memfd cloned binary failed, falling back to O_TMPFILE: %v", err)
 
@@ -154,7 +154,7 @@ func getSealableFile(comment, tmpDir string) (file *os.File, sealFn SealFunc, er
 			file.Close()
 			continue
 		}
-		return
+		return file, sealFn, err
 	}
 	logrus.Debugf("O_TMPFILE cloned binary failed, falling back to mktemp(): %v", err)
 	// Finally, try a classic unlinked temporary file.
@@ -168,7 +168,7 @@ func getSealableFile(comment, tmpDir string) (file *os.File, sealFn SealFunc, er
 			file.Close()
 			continue
 		}
-		return
+		return file, sealFn, err
 	}
 	return nil, nil, fmt.Errorf("could not create sealable file for cloned binary: %w", err)
 }
diff --git a/libcontainer/integration/utils_test.go b/libcontainer/integration/utils_test.go
index d73fc68063b..8fb8f86638a 100644
--- a/libcontainer/integration/utils_test.go
+++ b/libcontainer/integration/utils_test.go
@@ -210,7 +210,7 @@ func runContainer(t testing.TB, config *configs.Config, args ...string) (buffers
 	} else {
 		return buffers, -1, err
 	}
-	return
+	return buffers, exitCode, err
 }
 
 // runContainerOk is a wrapper for runContainer, simplifying its use for cases
diff --git a/libcontainer/internal/userns/usernsfd_linux.go b/libcontainer/internal/userns/usernsfd_linux.go
index 773ba17cad6..a1151a3fb35 100644
--- a/libcontainer/internal/userns/usernsfd_linux.go
+++ b/libcontainer/internal/userns/usernsfd_linux.go
@@ -34,7 +34,7 @@ func (m Mapping) toSys() (uids, gids []syscall.SysProcIDMap) {
 			Size:        int(gid.Size),
 		})
 	}
-	return
+	return uids, gids
 }
 
 // id returns a unique identifier for this mapping, agnostic of the order of
diff --git a/libcontainer/mount_linux.go b/libcontainer/mount_linux.go
index 683b5e62425..9d4b5dcef55 100644
--- a/libcontainer/mount_linux.go
+++ b/libcontainer/mount_linux.go
@@ -236,7 +236,7 @@ func syscallMode(i fs.FileMode) (o uint32) {
 		o |= unix.S_ISVTX
 	}
 	// No mapping for Go's ModeTemporary (plan9 only).
-	return
+	return o
 }
 
 // mountFd creates a "mount source fd" (either through open_tree(2) or just
diff --git a/libcontainer/nsenter/nsenter_test.go b/libcontainer/nsenter/nsenter_test.go
index c0b4e9b47e4..123448bc253 100644
--- a/libcontainer/nsenter/nsenter_test.go
+++ b/libcontainer/nsenter/nsenter_test.go
@@ -199,7 +199,7 @@ func newPipe(t *testing.T) (parent *os.File, child *os.File) {
 		parent.Close()
 		child.Close()
 	})
-	return
+	return parent, child
 }
 
 func reapChildren(t *testing.T, parent *os.File) {
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index a7a72b8bb19..aa1f68b94f4 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -1155,7 +1155,7 @@ func msMoveRoot(rootfs string) error {
 			strings.HasPrefix(info.Mountpoint, rootfs) {
 			skip = true
 		}
-		return
+		return skip, stop
 	})
 	if err != nil {
 		return err
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
index e663fda3306..035d0c0d834 100644
--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
@@ -676,7 +676,7 @@ func filterFlags(config *configs.Seccomp, filter *libseccomp.ScmpFilter) (flags
 		}
 	}
 
-	return
+	return flags, noNewPrivs, err
 }
 
 func sysSeccompSetFilter(flags uint, filter []unix.SockFilter) (fd int, err error) {
@@ -706,7 +706,7 @@ func sysSeccompSetFilter(flags uint, filter []unix.SockFilter) (fd int, err erro
 	}
 	runtime.KeepAlive(filter)
 	runtime.KeepAlive(fprog)
-	return
+	return fd, err
 }
 
 // PatchAndLoad takes a seccomp configuration and a libseccomp filter which has
diff --git a/libcontainer/utils/utils.go b/libcontainer/utils/utils.go
index ee9e255e7e2..1467d17eb20 100644
--- a/libcontainer/utils/utils.go
+++ b/libcontainer/utils/utils.go
@@ -112,5 +112,5 @@ func Annotations(labels []string) (bundle string, userAnnotations map[string]str
 			userAnnotations[name] = value
 		}
 	}
-	return
+	return bundle, userAnnotations
 }