QNAP is currently investigating CVE-2026-31431, also known as Copy Fail, and we would like to provide some clarification for users who may be concerned about its impact on QNAP NAS devices.
In short, most QNAP NAS models are not affected by this vulnerability.
This issue affects only certain ARM-based QNAP NAS models running specific Linux kernel versions. According to our current assessment:
- All x86-based QNAP NAS models are not affected.
- ARM-based NAS models running QTS 4.x are not affected.
- The issue only applies to specific ARM-based NAS models running affected kernel versions.
Please refer to the official QNAP Security Advisory for the latest information:
https://www.qnap.com/go/security-advisory/qsa-26-16
About this vulnerability
This vulnerability is a local privilege escalation issue.
This means that an attacker would first need to be able to run code on the NAS as a regular, non-administrator user before attempting to exploit the vulnerability. It is not a vulnerability that can be directly exploited from the internet without first gaining some level of local access.
For QNAP NAS devices, SSH and Telnet access are limited to administrator-group users by default. However, users should still review their system and application exposure, especially if they are running services or containers that can be accessed by other users or from external networks.
Recommended actions
For general risk reduction, we recommend the following:
- Do not grant shell access to non-administrator users unless absolutely necessary.
- Only run container images from trusted sources.
- Review Container Station settings and avoid allowing unnecessary user access to containers.
- Keep applications, containers, and services updated.
- Disable unused services and applications.
- If the built-in Web Server is not actively being used, consider disabling it from Control Panel > Web Server.
- Keep the NAS behind a firewall and avoid exposing it directly to the internet.
- Follow the official security advisory and install security updates once they become available.
QNAP is working on a security update and will update the advisory when more information or fixes are available.
If you have a specific system configuration that you are concerned about, please contact QNAP Support for further assistance.
For your security, please do not post sensitive information publicly in the forum, including public IP addresses, usernames, device serial numbers, full logs, or detailed system configuration.
— QNAP Community Team
Based on information from the QNAP Product Security Incident Response Team