Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN452
_____________________________________________________________________

DATE                : 04/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running QTS on specific QNAP ARM64 NAS
                             models running Kernel 5.10.

=====================================================================
https://www.qnap.com/fr-fr/security-advisory/qsa-26-16
_____________________________________________________________________


Security ID : QSA-26-16
Local Privilege Escalation Vulnerability in Linux Kernel (Copy Fail)

    Release date : May 2, 2026

    CVE identifier : CVE-2026-31431

    Not affected products:
    All QNAP x86-based NAS
    All QuTS hero NAS models
    QNAP ARM-based NAS running QTS 4.x (these utilize older kernel
versions).
    QNAP ARM-based NAS running kernel versions other than 5.10.

    Affected products:
    QTS on specific QNAP ARM64 NAS models running Kernel 5.10

Severity
Moderate

Status
Investigating

Summary
A local privilege escalation vulnerability, commonly known as
"Copy Fail", has been reported to affect the Linux kernel. If
exploited, this vulnerability could allow an authenticated,
non-administrator user with code execution capabilities to
obtain elevated system privileges.

This vulnerability specifically affects systems that meet both
of the following criteria:

    Architecture: ARM64 .
    Kernel Version: Linux Kernel 5.10.

QNAP is currently investigating the issue and developing
security updates. This advisory will be updated as soon as
fixes are available.

Affected Products
The following operating system versions are affected:

    QTS on specific QNAP ARM64 NAS models running Kernel 5.10 

To verify your NAS architecture and kernel version, please
log in to QTS or check the technical specifications for your
model at: https://www.qnap.com/go/release-notes/kernel

Products Not Affected

The following products and configurations are not impacted by
this vulnerability:

    All QNAP x86-based NAS 
    All QuTS hero NAS models 
    QNAP ARM-based NAS running QTS 4.x (these utilize older kernel versions).
    QNAP ARM-based NAS running kernel versions other than 5.10.

Recommendation
Currently, no official mitigation is available for this
vulnerability. We strongly recommend users install security
updates immediately upon release.

To reduce exposure on potentially affected devices, QNAP
recommends the following security measures:

    Restrict Access: Avoid granting shell access or terminal
permissions to non-administrator users.
    Container Security: Limit container deployments to trusted
images and restrict environment access within Container Station.
    Disable Unused Services: Disable the Web Server
(default port 80) and other non-essential applications if not
in use.
    Network Protection: Ensure the NAS is not directly exposed
to the internet. Use QuFirewall or external network firewalls
to restrict access.


Revision History: V1.0 (May 2, 2026) - Published


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================