We use cookies to help us improve our webpage. Please read our Cookie Policy .
ASUSTOR Product Security Advisory

AS-2026-007: Linux Kernal - Copy Fail

2026-05-04

Severity

Important

Status

Ongoing

Statement

A local privilege escalation (LPE) vulnerability, commonly known as "Copy Fail", has been disclosed to affect the Linux kernel. If the vulnerability is exploited, a non-administrator user who is authenticated but has code execution privileges can gain elevated system privileges.

CVE-2026-31431 affects ASUSTOR products with Linux Kernel versions higher than 4.14, from ADM 4.1 to ADM 5.1. Updates with Linux Kernel Patch will be released as soon as possible.


Affected Products

Product Severity Fixed Release Availability
ADM 5.0 Important Ongoing
ADM 4.3, ADM 4.2 and 4.1 Important Ongoing

Detail

  • CVE-2026-31431
    • Severity: High
    • CVSS3.1 Base Score: 7.8
    • CVSS3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    • In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

Reference


Revision

Revision Date Description
1 2026-05-04 Initial public release.