diff --git a/hack/podmansnoop b/hack/podmansnoop
index a404ccf0e8..343495e59c 100755
--- a/hack/podmansnoop
+++ b/hack/podmansnoop
@@ -125,7 +125,12 @@ def _print_event(cpu, data, size): # callback
 
     comm = e.comm.decode()
     if comm == "3":
-        # For absolutely unknown reasons, 'crun' appears as '3'.
+        # Because of CVE-2019-5736, crun copies itself on a memfd or temp file, add seals,
+        # then goes fexecve. The linux kernel will then set comm as the basename of
+        # /dev/fd/<fdnum>, which happens to be 3 being the first available file descriptor.
+        # runc implementation is slightly different, with multiple processes, and they also
+        # set the process name to make them intelligible (i.e. "runc:[0:PARENT]", "runc:[1:CHILD]")
+        # so it doesn't fall into this case.
         comm = "crun"
 
     if e.isArgv: