QNAP is currently investigating CVE-2026-31431, also known as Copy Fail. We would like to provide some clarifications for users who are concerned about possible impacts on QNAP NAS devices.
In short: Most QNAP NAS models are not affected by this vulnerability.
This issue only affects certain ARM-based QNAP NAS models running specific vulnerable Linux kernel versions. Based on our current assessment:
- All x86-based QNAP NAS models are not affected.
- ARM-based NAS models with QTS 4.x are not affected.
- The issue only affects specific ARM-based NAS models running affected kernel versions.
For the latest information, please visit the official QNAP security advisory:
https://www.qnap.com/go/security-advisory/qsa-26-16
About This Vulnerability
This vulnerability is a local privilege escalation.
This means that an attacker would first need to be able to execute code on the NAS as a regular, non-administrative user before being able to attempt to exploit the vulnerability. It is not a vulnerability that can be exploited directly from the internet without first gaining some form of local access.
On QNAP NAS devices, SSH and Telnet access is restricted by default to users in the administrator group. Nevertheless, users should review their system and application exposure, especially if they are running services or containers that are accessible by other users or from external networks.
Recommended Actions
To reduce general risk, we recommend the following:
- Do not provide non-administrative users with shell access unless absolutely necessary.
- Only use container images from trusted sources.
- Review your Container Station settings and avoid unnecessary user access to containers.
- Always keep applications, containers, and services up to date.
- Disable unused services and applications.
- If the built-in web server is not actively used, consider disabling it under Control Panel > Web Server.
- Operate your NAS behind a firewall and avoid sharing it directly on the internet.
- Follow the official security advisory and install security updates as soon as they become available.
QNAP is working on a security update and will update the security advisory as soon as further information or fixes become available.
If you have concerns about a specific system configuration, please contact QNAP Support.
For your safety, please do not post sensitive information on the forum, such as public IP addresses, usernames, device serial numbers, full logs, or detailed system configurations.
— QNAP Community Team
Based on information from the QNAP Product Security Incident Response Team