diff --git a/pkg/util/flock/flock_unix.go b/pkg/util/flock/flock_unix.go
index 92d929f4e5a..3dae621b736 100644
--- a/pkg/util/flock/flock_unix.go
+++ b/pkg/util/flock/flock_unix.go
@@ -23,7 +23,7 @@ import "golang.org/x/sys/unix"
 // Acquire acquires a lock on a file for the duration of the process. This method
 // is reentrant.
 func Acquire(path string) error {
-	fd, err := unix.Open(path, unix.O_CREAT|unix.O_RDWR, 0600)
+	fd, err := unix.Open(path, unix.O_CREAT|unix.O_RDWR|unix.O_CLOEXEC, 0600)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/util/mount/mount_linux.go b/pkg/util/mount/mount_linux.go
index 321034a316e..3e438870fa9 100644
--- a/pkg/util/mount/mount_linux.go
+++ b/pkg/util/mount/mount_linux.go
@@ -497,7 +497,7 @@ func ExclusiveOpenFailsOnDevice(pathname string) (bool, error) {
 		klog.Errorf("Path %q is not referring to a device.", pathname)
 		return false, nil
 	}
-	fd, errno := unix.Open(pathname, unix.O_RDONLY|unix.O_EXCL, 0)
+	fd, errno := unix.Open(pathname, unix.O_RDONLY|unix.O_EXCL|unix.O_CLOEXEC, 0)
 	// If the device is in use, open will return an invalid fd.
 	// When this happens, it is expected that Close will fail and throw an error.
 	defer unix.Close(fd)