QNAP is currently investigating CVE-2026-31431, also known as Copy Fail. We would like to provide further clarification for users who may be concerned about whether this vulnerability affects their QNAP NAS devices.
In short, the majority of QNAP NAS models are not affected by this vulnerability.
This issue only impacts certain ARM-based QNAP NAS models running affected versions of the Linux kernel. According to our current assessment:
- All x86-based QNAP NAS models are not affected.
- ARM-based NAS models running QTS 4.x are not affected.
- The issue only applies to specific ARM-based NAS models using affected kernel versions.
Please refer to the official QNAP security advisory for the latest information:
https://www.qnap.com/go/security-advisory/qsa-26-16
About this Vulnerability
This vulnerability is a local privilege escalation vulnerability.
This means that an attacker must first be able to execute code on the NAS as a regular (non-administrator) user before being able to further exploit the vulnerability. This is not a vulnerability that can be exploited remotely over the internet without any prior local access by the attacker.
On QNAP NAS devices, SSH and Telnet access rights are by default only granted to administrator group users. However, users are still advised to check the exposure of their systems and applications, especially if you are running services or containers accessible by other users or external networks.
Recommended Actions
To reduce overall risk, we recommend the following measures:
- Do not grant shell access to non-administrator users unless necessary.
- Only run container images from trusted sources.
- Check Container Station settings to prevent unnecessary users from accessing containers.
- Keep your applications, containers, and services up to date.
- Disable unused services and applications.
- If you are not actively using the built-in web server, we recommend disabling it via Control Panel > Web Server.
- Place your NAS behind a firewall to avoid direct exposure to the internet.
- Keep an eye on official security advisories and install security updates as soon as they become available.
QNAP is preparing security updates and will update the official security advisory with more information or patched versions when available.
If you have concerns about specific system settings, please contact QNAP Support for further assistance.
For security reasons, please do not post sensitive information in the forum, such as public IP addresses, usernames, device serial numbers, full logs, or detailed system configurations.
— QNAP Community Team
Content compiled based on information provided by the QNAP Product Security Incident Response Team