QNAP is currently investigating CVE-2026-31431, also known as Copy Fail, and we would like to clarify for users who may be concerned about its impact on QNAP NAS devices.
In short, the majority of QNAP NAS models are not affected by this vulnerability.
This issue only affects certain ARM-based QNAP NAS models running specific impacted Linux kernel versions. Based on our current assessment:
- All x86-based QNAP NAS models are not affected.
- ARM-based NAS models running QTS 4.x are not affected.
- This issue only applies to specific ARM-based NAS models running impacted kernel versions.
Please refer to the official QNAP Security Advisory for the latest updates:
https://www.qnap.com/go/security-advisory/qsa-26-16
About this vulnerability
This vulnerability is a local privilege escalation issue.
This means that an attacker must first be able to execute code on the NAS as a regular user (i.e., a non-administrator user) before attempting to exploit this vulnerability. It is not a vulnerability that can be exploited directly from the internet without first obtaining some form of local access.
On QNAP NAS devices, SSH and Telnet access are by default limited only to users in the administrators group. Nevertheless, users are still advised to review the exposure of their systems and applications, especially if running services or containers that can be accessed by other users or from external networks.
Recommended actions
To generally reduce risk, we recommend the following:
- Do not grant shell access to non-administrator users unless absolutely necessary.
- Only run container images from trusted sources.
- Review your Container Station settings and avoid granting unnecessary container access to users.
- Always update your applications, containers, and services.
- Disable unused services and applications.
- If the built-in Web Server is not actively used, consider disabling it via Control Panel > Web Server.
- Place your NAS behind a firewall and avoid exposing it directly to the internet.
- Follow the official security advisories and install security updates as soon as they become available.
QNAP is preparing security updates and will update the advisory when additional information or fixes become available.
If you have concerns related to particular system configurations, please contact QNAP Support for further assistance.
For your safety, please do not publicly post sensitive information on forums, such as public IP addresses, usernames, device serial numbers, full logs, or detailed system configurations.
— QNAP Community Team
Based on information from QNAP Product Security Incident Response Team