Tech note: Base OS vulnerability🔗

This advisory concerns the Linux copy.fail vulnerability CVE-2026-31431.

Matillion has confirmed that this vulnerability is present in all Long-Term Support (LTS) versions of the Matillion ETL product, and likely in all versions of the product released since the vulnerable code was introduced into the Linux kernel in 2017. The vulnerability allows any user who can run a script to become root. It has affected most Linux instances worldwide, and is considered very serious, rating 7.8 out of 10.

Applies to🔗

All Matillion ETL customers, including all customers who have migrated to the new openSUSE base image, and all customers who are still running on CentOS Stream 9.

What do you need to do?🔗

openSUSE base image🔗

For customers who have migrated to 1.80 instances and are now using the openSUSE base image, you can now use yum update --security to install the proper fix. We are updating Matillion ETL images on all platforms and will release them shortly.

CentOS Stream 9 base image🔗

For customers who haven't yet migrated to the openSUSE base image and are still on CentOS Stream 9, the following workaround is available:

SSH into the Matillion ETL instance with root access.
Edit /etc/default/grub and add the following to the GRUB_CMDLINE_LINUX variable:
```
initcall_blacklist=algif_aead_init
```

Run the following command to update the kernel parameters:

grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"

Reboot the instance with systemctl reboot.

However, please note that CentOS Stream 9 is end-of-life, and there are no more kernel updates. We recommend that all concerned customers migrate to the new openSUSE base image. In addition to this security fix, it has more than a 95% reduction in CVE score and will allow the mitigation of any future vulnerabilities. For details on the migration process, see Tech note - Base OS change to openSUSE.