diff --git a/go.mod b/go.mod
index 1c9e3181..c616f52a 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/BurntSushi/toml v1.4.0
 	github.com/containers/buildah v1.37.3
 	github.com/containers/common v0.60.3
-	github.com/containers/podman/v5 v5.2.2
+	github.com/containers/podman/v5 v5.2.3
 	github.com/containers/storage v1.55.0
 	github.com/distribution/reference v0.6.0
 	github.com/docker/docker v27.1.1+incompatible
@@ -100,7 +100,7 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
-	github.com/moby/sys/user v0.2.0 // indirect
+	github.com/moby/sys/user v0.3.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
diff --git a/go.sum b/go.sum
index d762a7d0..93967900 100644
--- a/go.sum
+++ b/go.sum
@@ -58,8 +58,8 @@ github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYgle
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
 github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sirVuPM=
 github.com/containers/ocicrypt v1.2.0/go.mod h1:ZNviigQajtdlxIZGibvblVuIFBKIuUI2M0QM12SD31U=
-github.com/containers/podman/v5 v5.2.2 h1:UHDF+CeuRgqQc4EN0MNXrk1Xb45/5td/ClGmAOyiDJ8=
-github.com/containers/podman/v5 v5.2.2/go.mod h1:6RoRmwWUDYzAdDMJnzBWiSxGJF7xJinJG+s4RnczwZw=
+github.com/containers/podman/v5 v5.2.3 h1:jDAfDHoNqYsQMsKQS/8fnjfp+ZEErxOb4zzJGXUcZCQ=
+github.com/containers/podman/v5 v5.2.3/go.mod h1:LnDGMLgJdMWzWpsvrmXDzR8iZ4kZE6p0CFZdQbfAoBI=
 github.com/containers/psgo v1.9.0 h1:eJ74jzSaCHnWt26OlKZROSyUyRcGDf+gYBdXnxrMW4g=
 github.com/containers/psgo v1.9.0/go.mod h1:0YoluUm43Mz2UnBIh1P+6V6NWcbpTL5uRtXyOcH0B5A=
 github.com/containers/storage v1.55.0 h1:wTWZ3YpcQf1F+dSP4KxG9iqDfpQY1otaUXjPpffuhgg=
@@ -248,8 +248,8 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
 github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
-github.com/moby/sys/user v0.2.0 h1:OnpapJsRp25vkhw8TFG6OLJODNh/3rEwRWtJ3kakwRM=
-github.com/moby/sys/user v0.2.0/go.mod h1:RYstrcWOJpVh+6qzUqp2bU3eaRpdiQeKGlKitaH0PM8=
+github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
+github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
diff --git a/vendor/github.com/containers/podman/v5/pkg/specgen/namespaces.go b/vendor/github.com/containers/podman/v5/pkg/specgen/namespaces.go
index f685ab3e..e5b99f89 100644
--- a/vendor/github.com/containers/podman/v5/pkg/specgen/namespaces.go
+++ b/vendor/github.com/containers/podman/v5/pkg/specgen/namespaces.go
@@ -11,9 +11,9 @@ import (
 	"github.com/containers/common/pkg/cgroups"
 	"github.com/containers/podman/v5/libpod/define"
 	"github.com/containers/podman/v5/pkg/namespaces"
-	"github.com/containers/podman/v5/pkg/rootless"
 	"github.com/containers/podman/v5/pkg/util"
 	"github.com/containers/storage/pkg/fileutils"
+	"github.com/containers/storage/pkg/unshare"
 	storageTypes "github.com/containers/storage/types"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
@@ -160,10 +160,15 @@ func validateNetNS(n *Namespace) error {
 	case Slirp:
 		break
 	case Pasta:
-		if rootless.IsRootless() {
+		// Check if we run rootless/in a userns. Do not use rootless.IsRootless() here.
+		// Pasta switches to nobody when running as root which causes it to fail while
+		// opening the netns owned by root. However when pasta is already in a userns
+		// it doesn't switch to nobody so it works there.
+		// https://github.com/containers/podman/issues/17840
+		if unshare.IsRootless() {
 			break
 		}
-		return fmt.Errorf("pasta networking is only supported for rootless mode")
+		return fmt.Errorf("pasta networking is only supported for rootless mode or when inside a nested userns")
 	case "", Default, Host, Path, FromContainer, FromPod, Private, NoNetwork, Bridge:
 		break
 	default:
diff --git a/vendor/github.com/containers/podman/v5/version/rawversion/version.go b/vendor/github.com/containers/podman/v5/version/rawversion/version.go
index 81e0e2bb..65dbc9a5 100644
--- a/vendor/github.com/containers/podman/v5/version/rawversion/version.go
+++ b/vendor/github.com/containers/podman/v5/version/rawversion/version.go
@@ -7,4 +7,4 @@ package rawversion
 //
 // NOTE: remember to bump the version at the top of the top-level README.md
 // file when this is bumped.
-const RawVersion = "5.2.2"
+const RawVersion = "5.2.3"
diff --git a/vendor/modules.txt b/vendor/modules.txt
index ecf126e8..f8b7d0b1 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -197,7 +197,7 @@ github.com/containers/ocicrypt/keywrap/pkcs7
 github.com/containers/ocicrypt/spec
 github.com/containers/ocicrypt/utils
 github.com/containers/ocicrypt/utils/keyprovider
-# github.com/containers/podman/v5 v5.2.2
+# github.com/containers/podman/v5 v5.2.3
 ## explicit; go 1.21.0
 github.com/containers/podman/v5/cmd/podman/parse
 github.com/containers/podman/v5/libpod/define
@@ -577,8 +577,8 @@ github.com/moby/docker-image-spec/specs-go/v1
 # github.com/moby/sys/mountinfo v0.7.2
 ## explicit; go 1.17
 github.com/moby/sys/mountinfo
-# github.com/moby/sys/user v0.2.0
-## explicit; go 1.21
+# github.com/moby/sys/user v0.3.0
+## explicit; go 1.17
 github.com/moby/sys/user
 # github.com/moby/term v0.5.0
 ## explicit; go 1.18