Skip to content

Tech note: Base OS vulnerability🔗

This advisory concerns the Linux copy.fail vulnerability CVE-2026-31431.

Matillion has confirmed that this vulnerability is present in all Long-Term Support (LTS) versions of the Matillion ETL product, and likely in all versions of the product released since the vulnerable code was introduced into the Linux kernel in 2017. The vulnerability allows any user who can run a script to become root. It has affected most Linux instances worldwide, and is considered very serious, rating 7.8 out of 10.

Applies to🔗

All Matillion ETL customers, including all customers who have migrated to the new openSUSE base image, and all customers who are still running on CentOS Stream 9.

What do you need to do?🔗

openSUSE base image🔗

For customers who have migrated to 1.80 instances and are now using the openSUSE base image, SUSE has provided a workaround, which Matillion has confirmed works on our instances. The steps required are:

  1. SSH into the Matillion ETL instance.

  2. Create a new file, /etc/modprobe.d/10-cvs-fix.conf with the following contents:

    blacklist algif_aead
install algif_aead /bin/false

  3. Reboot the instance with systemctl reboot.

This is likely to disable the AEAD security algorithm, and may impact any jobs which contact servers using this algorithm. SUSE is looking into a proper fix for this issue, and we are monitoring their updates and will update this advisory as soon as possible. The SUSE solution is likely to be a kernel fix, and if so, we will reissue all Matillion ETL images on all platforms once the fix is available.

CentOS Stream 9 base image🔗

For customers who have not yet migrated to the openSUSE base image and are still on CentOS Stream 9, no fix is available. CentOS Stream 9 is end-of-life, and there are no more kernel updates. The CentOS kernel has been built with a minimal number of loadable modules, and the affected module is built in. It can't be removed by blacklisting as the SUSE kernel can be.

We recommend that all concerned customers migrate to the new openSUSE base image once the kernel fix is available. In addition to this security fix, it has more than a 95% reduction in CVE score and will allow the mitigation of any future vulnerabilities. For details on the migration process, see Tech note - Base OS change to openSUSE.

© Copyright 2026 Matillion Ltd | Legal | Privacy Policy | Disclaimer | Modern Slavery Statement