diff --git a/Cargo.lock b/Cargo.lock
index 963f30fed8..a9342bd684 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4047,6 +4047,8 @@ dependencies = [
  "persist",
  "procfs 0.12.0",
  "prometheus",
+ "protobuf",
+ "protocols",
  "resource",
  "runtime-spec",
  "serde_json",
diff --git a/src/libs/protocols/build.rs b/src/libs/protocols/build.rs
index f5a4c13cd2..5aab01866e 100644
--- a/src/libs/protocols/build.rs
+++ b/src/libs/protocols/build.rs
@@ -191,6 +191,7 @@ fn real_main() -> Result<(), std::io::Error> {
             "protos/oci.proto",
             "protos/types.proto",
             "protos/csi.proto",
+            "protos/runtimeoptions.proto",
         ],
         false,
     )?;
diff --git a/src/libs/protocols/protos/runtimeoptions.proto b/src/libs/protocols/protos/runtimeoptions.proto
new file mode 100644
index 0000000000..38ce1a6038
--- /dev/null
+++ b/src/libs/protocols/protos/runtimeoptions.proto
@@ -0,0 +1,20 @@
+// Copyright (c) 2024 The containerd Authors
+// SPDX-License-Identifier: Apache-2.0
+//
+// This proto definition is based on containerd's runtimeoptions/v1/api.proto
+// https://github.com/containerd/containerd/blob/main/api/types/runtimeoptions/v1/api.proto
+
+syntax = "proto3";
+
+package runtimeoptions.v1;
+
+message Options {
+	// TypeUrl specifies the type of the content inside the config file.
+	string type_url = 1;
+	// ConfigPath specifies the filesystem location of the config file
+	// used by the runtime.
+	string config_path = 2;
+	// Blob specifies an in-memory TOML blob passed from containerd's configuration section
+	// for this runtime. This will be used if config_path is not specified.
+	bytes config_body = 3;
+}
diff --git a/src/libs/protocols/src/lib.rs b/src/libs/protocols/src/lib.rs
index 3c42f6055f..5e6a67fe90 100644
--- a/src/libs/protocols/src/lib.rs
+++ b/src/libs/protocols/src/lib.rs
@@ -22,6 +22,7 @@ pub mod remote;
 pub mod remote_ttrpc;
 #[cfg(feature = "async")]
 pub mod remote_ttrpc_async;
+pub mod runtimeoptions;
 #[cfg(feature = "with-serde")]
 mod serde_config;
 pub mod trans;
diff --git a/src/runtime-rs/crates/runtimes/Cargo.toml b/src/runtime-rs/crates/runtimes/Cargo.toml
index 4220af8874..7ae0cc4206 100644
--- a/src/runtime-rs/crates/runtimes/Cargo.toml
+++ b/src/runtime-rs/crates/runtimes/Cargo.toml
@@ -38,6 +38,8 @@ oci-spec = { workspace = true }
 agent = { workspace = true }
 common = { workspace = true }
 kata-types = { workspace = true }
+protocols = { workspace = true }
+protobuf = { workspace = true }
 kata-sys-util = { workspace = true }
 logging = { workspace = true }
 runtime-spec = { workspace = true }
diff --git a/src/runtime-rs/crates/runtimes/common/Cargo.toml b/src/runtime-rs/crates/runtimes/common/Cargo.toml
index 5f0578a6de..0d6585ce4d 100644
--- a/src/runtime-rs/crates/runtimes/common/Cargo.toml
+++ b/src/runtime-rs/crates/runtimes/common/Cargo.toml
@@ -10,7 +10,7 @@ license = { workspace = true }
 [dependencies]
 anyhow = { workspace = true }
 async-trait = { workspace = true }
-containerd-shim-protos = { workspace = true }
+containerd-shim-protos = { workspace = true, features = ["sandbox"] }
 lazy_static = { workspace = true }
 nix = { workspace = true }
 protobuf = { workspace = true }
diff --git a/src/runtime-rs/crates/runtimes/src/manager.rs b/src/runtime-rs/crates/runtimes/src/manager.rs
index fa46a1a0dc..e65944e62a 100644
--- a/src/runtime-rs/crates/runtimes/src/manager.rs
+++ b/src/runtime-rs/crates/runtimes/src/manager.rs
@@ -39,13 +39,14 @@ use resource::{
 };
 use runtime_spec as spec;
 use shim_interface::shim_mgmt::ERR_NO_SHIM_SERVER;
+use protobuf::Message as ProtobufMessage;
 use std::{
     collections::HashMap,
     env,
     ops::Deref,
     os::unix::fs::{chown, MetadataExt},
     path::{Path, PathBuf},
-    str::{from_utf8, FromStr},
+    str::FromStr,
     sync::Arc,
     time::SystemTime,
 };
@@ -700,11 +701,21 @@ fn load_config(an: &HashMap<String, String>, option: &Option<Vec<u8>>) -> Result
     } else if let Ok(path) = std::env::var(KATA_CONF_FILE) {
         path
     } else if let Some(option) = option {
-        // get rid of the special characters in options to get the config path
-        if option.len() > 2 {
-            from_utf8(&option[2..])?.to_string()
-        } else {
-            String::from("")
+        // Parse the containerd runtime options protobuf message to extract the config path.
+        // The options are passed as a serialized runtimeoptions.v1.Options protobuf message
+        // from containerd's configuration (e.g., [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata.options]).
+        match <protocols::runtimeoptions::Options as ProtobufMessage>::parse_from_bytes(option) {
+            Ok(opts) => opts.config_path,
+            Err(e) => {
+                // Log the error but don't fail - fall back to default config paths
+                let logger = slog::Logger::clone(&slog_scope::logger());
+                slog::warn!(
+                    logger,
+                    "failed to parse containerd runtime options: {}, falling back to default config paths",
+                    e
+                );
+                String::from("")
+            }
         }
     } else {
         String::from("")