diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
index 7f36eb1bf..63fb5d4f7 100644
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@@ -777,6 +777,10 @@ func defaultRuntimeSpec(id string) (*runtimespec.Spec, error) {
 		if mount.Destination == "/run" {
 			continue
 		}
+		// CRI plugin handles `/dev/shm` itself.
+		if mount.Destination == "/dev/shm" {
+			continue
+		}
 		mounts = append(mounts, mount)
 	}
 	spec.Mounts = mounts
diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go
index 510b44e8d..0254f3d0e 100644
--- a/pkg/server/sandbox_run.go
+++ b/pkg/server/sandbox_run.go
@@ -388,6 +388,14 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod
 		g.RemoveLinuxNamespace(string(runtimespec.IPCNamespace)) // nolint: errcheck
 	}
 
+	// It's fine to generate the spec before the sandbox /dev/shm
+	// is actually created.
+	sandboxDevShm := c.getSandboxDevShm(id)
+	if nsOptions.GetIpc() == runtime.NamespaceMode_NODE {
+		sandboxDevShm = devShm
+	}
+	g.AddBindMount(sandboxDevShm, devShm, []string{"rbind", "ro"})
+
 	selinuxOpt := securityContext.GetSelinuxOptions()
 	processLabel, mountLabel, err := initSelinuxOpts(selinuxOpt)
 	if err != nil {