QNAP is currently investigating CVE-2026-31431, also known as Copy Fail. We would like to provide additional information to users concerned about how this vulnerability may impact QNAP NAS devices.
In short, most QNAP NAS models are not affected by this vulnerability.
This issue only affects certain ARM-based QNAP NAS models running specific versions of the Linux kernel. Our current assessment is as follows:
- All x86-based QNAP NAS models are not affected.
- ARM-based NAS models running QTS 4.x are not affected.
- This issue only applies to certain ARM-based NAS models running the affected kernel version.
For the latest updates, please refer to the official QNAP Security Advisory.
https://www.qnap.com/go/security-advisory/qsa-26-16
About This Vulnerability
This vulnerability is a local privilege escalation issue.
This means that, for an attacker to exploit this vulnerability, they must first be able to execute code on the NAS as a regular (non-administrator) user. This is not a vulnerability that can be directly exploited over the internet before the attacker obtains some form of local access.
On QNAP NAS devices, SSH and Telnet access are restricted by default to users in the administrator group. However, especially if you are running services or containers accessible by other users or from outside networks, we recommend reviewing which system and application exposures might exist.
Recommended Actions
As general risk mitigation measures, we recommend the following:
- Do not grant shell access to non-administrator users unless absolutely necessary.
- Only use container images from trusted sources.
- Review your Container Station settings to ensure unauthorized users cannot access your containers.
- Keep your applications, containers, and services up to date.
- Disable any services or applications that are not in use.
- If you are not using the built-in Web Server, consider disabling it via Control Panel > Web Server.
- Keep your NAS behind a firewall and avoid direct exposure to the internet.
- Check the official security advisories and promptly apply any security updates as soon as they become available.
QNAP is currently preparing security updates. We will update the official advisory with additional information or fixes as soon as they become available.
If you have concerns about your specific system configuration, please contact QNAP Support.
For security reasons, do not post confidential information such as public IP addresses, usernames, device serial numbers, full logs, or detailed system configurations in the forum.
— QNAP Community Team
Based on information provided by the QNAP Product Security Incident Response Team