OpenWrt 25.12
Get firmware on Downloads (latest 25.12.3).
Each version's full technical changelog lives on the
wiki; the notes below are the per-release summary.
OpenWrt 25.12.3 — Service Release · 6. May 2026
Main changes between OpenWrt 25.12.2 and OpenWrt 25.12.3
Only the main changes are listed below. See https://openwrt.org/releases/25.12/changelog-25.12.3 for the full changelog.
Security fixes
- Linux kernel: fixes CVE-2026-31431 (“Copy Fail”). The vulnerability only triggers when the kernel is built with
CONFIG_CRYPTO_USER_API, which is enabled by thekmod-crypto-userpackage and is always enabled on thestarfivetarget. Devices that are not on thestarfivetarget and do not havekmod-crypto-userinstalled are not affected. - mbedtls: update to 3.6.6 (multiple CVE fixes)
- OpenSSL: update to 3.5.6 (multiple CVE fixes)
- wolfSSL: update to 5.9.1 (multiple CVE fixes)
Device support
New devices supported in 25.12.3:
- mediatek: filogic: ASUS RT-AX52 PRO
- mediatek: filogic: D-Link AQUILA PRO AI E30
- mediatek: filogic: Huasifei WH3000 Pro (NAND variant)
- mediatek: filogic: Keenetic KAP-630 / Netcraze NAP-630
- mediatek: filogic: Zbtlink ZBT-Z8103AX-D
- mediatek: filogic: Zbtlink ZBT-Z8106AX-T
- mediatek: filogic: Zyxel WX5600-T0
- ramips: EDUP EP-RT2983
- ramips: mt76x8: Cudy LT300 v3
- x86: DFI ADN553
- x86: DFI ASL553
Device fixes:
- ath79: Netgear WNDAP360: multiple fixes restoring proper operation (sysupgrade, kernel loader, ethernet, LED, serial baud rate and U-Boot environment)
- ath79: Extreme Networks WS-AP3805i: fix U-Boot environment configuration
- ath79: Mikrotik: fix included device packages
- ipq50xx: Linksys MX5500: add label MAC device assignment
- lantiq: Netgear DGN3500: fix U-Boot environment size — device was broken on 25.12 (#22692)
- mediatek: filogic: Bananapi BPI-R4: add device tree overlay for the BE14 WiFi 7 module — fixes very low WiFi TX power on this module (#17489)
- mediatek: filogic: Keenetic KN-1812: various Ethernet PHY device tree fixes (PHY reset, interrupt support, MDIO drive strength, partition naming, xsphy node)
- mediatek: filogic: Netgear EAX17: fix rootfs hash in FIT node for per-device rootfs builds
- mediatek: filogic: CMCC RAX3000M: add Airoha AN8855 switch support (#21230)
- mvebu: ClearFog Base/Pro: fix switch kernel module
- qualcommax: ipq50xx: Xiaomi AX6000: enable PCIe1 for QCA9887
- qualcommax: ipq807x: Linksys MX5300: add label MAC assignment
- ramips: Yuncore CPE200: fix EEPROM size
- ramips: mt7621: fix reset hang
- ramips: Wavlink WL-WN575A3: fix EEPROM size for 5 GHz WiFi
- ramips: Xiaomi Mi Router 4C: fix WAN LED GPIO (#18578)
WiFi fixes and improvements
- wifi-scripts: fix incorrect
erp_domainandfils_cache_idvalues generated by the ucode-based config script (#21768) - wifi-scripts: add missing
bridge_isolateandnetwork_vlanfields to the ucode schema (#22620) - wifi-scripts: add missing
ifaceand other fields to the ucode station/vlan schema (#22165) - wifi-scripts: add EHT (WiFi 7) rates to
set_fixed_freq
Networking and system fixes
- mbedtls: backport upstream patches to fix TLS 1.2 client issues — fixes a regression that broke DDNS updates and other TLS 1.2 client connections; the regression was introduced in mbedtls package updates shipped after the 25.12.2 release (OpenWrt packages follow a rolling release model) (#22874)
- base-files: sysupgrade: fix
-uoption (skip default configuration) which was broken with apk - base-files: sysupgrade: fix
-f(custom backup) when the path contains spaces - base-files: sysupgrade: update backup exclusion list
- base-files: use
DISKSEQinstead of MAJOR/MINOR for stable disk identification (MAJOR/MINOR are not sequential) - lantiq: fix mtdparsers refcount and memory leak
- uqmi / umbim: introduce
devpathoption for selecting cellular modems by USB device path
Core component updates
- Linux kernel: update from 6.12.74 to 6.12.85
- ca-certificates: update from 20250419 to 20260223
- linux-firmware: update from 20251125 to 20260221
- mbedtls: update from 3.6.5 to 3.6.6 (security fixes)
- OpenSSL: update from 3.5.5 to 3.5.6 (security fixes)
- wireless-regdb: update from 2026.02.04 to 2026.03.18
- wolfSSL: update from 5.8.4 to 5.9.1 (security fixes)
OpenWrt 25.12.2 — Service Release · 27. March 2026
Main changes between OpenWrt 25.12.1 and OpenWrt 25.12.2
Only the main changes are listed below. See https://openwrt.org/releases/25.12/changelog-25.12.2 for the full changelog.
Device support
- airoha: rename kernel module
kmod-pwm-an7581tokmod-pwm-airoha— users with this module explicitly installed need to reinstall under the new name - apm821xx: fix U-Boot environment definitions for NETGEAR WNDR4700, Western Digital MyBookLive, Meraki MR24 and Meraki MX60; fix PCIe boot failure on Meraki MX60
- ath79: fix initramfs boot for Huawei AP5030DN and AP6010DN
- ath79: fix VLAN CPU port tagging on 2-CPU-port devices (affects several dual-CPU switch configurations)
- ath79: remove incorrectly included WiFi packages from Mikrotik RB750r2 (device has no WiFi hardware)
- ipq40xx: fix ART partition name for Linksys Velop WHW03 V1 — restores correct WiFi calibration data access
- ipq40xx: fix MAC address reading for Linksys devices using eMMC-based NVMEM
- lantiq: xrx200: fix failsafe mode on BT HomeHub 5A — LAN ports 1 & 2 now work correctly in failsafe (#22480)
- mediatek: Bananapi BPI-R4: fix SFP+ electric module support — modules that stopped working after a snapshot upgrade are now functional again (#19878)
- ramips: fix kernel decompress error that bricked ELECOM WRC-X1800GS on 25.12.0 (#22270)
- ramips: fix initramfs kernel load address for TP-Link EAP615-Wall v1
- ramips: fix MAC address assignment for Xiaomi Mi AC2100
- realtek: fix D-Link fan control script
WiFi fixes and improvements
- wifi-scripts: fix 160 MHz channel width configuration — hostapd was not correctly configured for 160 MHz, preventing its use (#22481)
- wifi-scripts: fix SU beamformee antenna count — incorrect count was passed to the driver
- hostapd: fix memory leak in Radio Resource Management (RRM) ubus interface
- mac80211: ath12k: add thermal sensor support for QCA/IPQ devices
- mac80211: ath9k: fix GPIO mask handling from device tree
- mt76: fix severe WiFi latency regression (up to 30+ seconds) on 2.4 GHz introduced in 25.12.1 — affected many MediaTek devices including OpenWrt One, Zyxel EX5601, ASUS RT-AX53U, Xiaomi AX3000T/AX6000, Cudy WR3000/X6, GL Flint 2 and others (#22491)
- mt76: multiple further stability fixes for MediaTek WiFi chipsets (MT7615/MT7915/MT7996/MT7992/MT792x):
- add per-link beacon monitoring for MLO (Multi-Link Operation)
- fix MT7996/MT7992 link handling during MLO station add/remove
- fix scan work requeue race with spinlock
OpenWrt 25.12.1 — Service Release · 18. March 2026
Main changes between OpenWrt 25.12.0 and OpenWrt 25.12.1
Only the main changes are listed below. See https://openwrt.org/releases/25.12/changelog-25.12.1 for the full changelog.
Security fixes
OpenWrt components (Trail of Bits audit, February 2026):
- CVE-2026-30871: Stack buffer overflow in umdns DNS PTR query handling (HIGH)
- CVE-2026-30872: Stack buffer overflow in umdns IPv6 reverse DNS lookup (HIGH)
- CVE-2026-30873: Memory leak in jsonpath when processing strings, labels, and regexp tokens (LOW)
- CVE-2026-30874: Command execution via PATH environment variable filter bypass in procd (LOW)
LuCI:
Additional hardening from the same Trail of Bits audit (no CVE assigned):
- odhcpd: fix stack buffer overflow in DHCPv6 Identity Association logging
- procd: fix out-of-bounds write in cgroup path building and cgroup rule application
Device support
- airoha: fix EN7581 PCIe initialization and add x2 (2-lane) link support — improves PCIe reliability and unlocks full bandwidth for affected devices
- ath79: TP-Link RE355 v1, RE450 v1/v2: fix partition alignment to prevent configuration loss on sysupgrade
- ipq40xx: Devolo Magic 2 WiFi next: enable device support
- ipq40xx: re-enable MeshPoint.One target
- ipq806x: AP3935: fix U-Boot NVMEM layout
- lantiq: fix GPIO expander clock (gpio-stp-xway) — restores correct LED and GPIO behaviour on affected devices
- lantiq: fix missing WAN MAC address assignment on some devices
- mediatek: Cudy M3000: add support for hardware variant with Motorcomm YT8821 PHY (previously only the Realtek PHY variant was supported)
- mediatek: TP-Link BE450: fix 10GbE PHY reset timing that caused intermittent boot stalls, add missing WLAN toggle button, fix reported memory size
- microchipsw: Novarq Tactical 1000: fix swapped SFP I2C buses for ports 1 and 3 — fixes SFP EEPROM read failures
- ramips: Keenetic KN-1910: fix sysupgrade functionality
- realtek: RTL838x-based switches: fix non-functional reboot
- treewide: Linksys devices: fix MAC address assignment
WiFi fixes and improvements
- mac80211: fix crash triggered by Channel Switch Announcement (CSA) when AP VLAN interfaces are in use
- mt76: add MT7990 firmware support (new MediaTek WiFi 7 chipset)
- mt76: mt7915: fix power save mode handling
- mt76: mt7921/MT7902: add MT7902e MCU and DMA layout support
- mt76: mt7996/mt7992: fix crash in transmit path, fix out-of-bounds access during hardware restart, improve MLO/CSA and radar detection support
- wifi-scripts: fix incorrect VHT160 capability advertisement — was incorrectly set on non-160 MHz AP configurations, degrading station upload speed (#22435)
- wifi-scripts: fix malformed wpa_supplicant config when 802.1X EAP credentials (identity, password, certificates) contain spaces (#22212)
Web interface (LuCI) and system fixes
- luci-mod-network: fix XSS vulnerability in WiFi scan modal (CVE-2026-32721)
- ustream-ssl (OpenSSL variant): fix use-after-free crash causing uhttpd (the LuCI web server) to crash under high load (#19349)
Networking and system fixes
- firewall4: set as the preferred firewall package over the legacy firewall package
- iptables: prefer the nftables-backed variants (iptables-nft, ip6tables-nft) when iptables is pulled in as a dependency
- kernel: CAKE QoS scheduler fixes — avoid unnecessary synchronization overhead when running without a rate limit, fix DiffServ rate scaling
- kernel: SFP: improve Huawei MA5671a module support — module is now accessible even when no fiber is connected
- odhcpd: fix segfault when disabling a DHCP interface, fix DHCPv4 lease tree corruption, fix truncated field in DHCPv6 lease queries, fix DNS search list padding
- ppp: fix potential memory safety issue (undefined behavior in memcpy with overlapping buffers); remove the MRU limit patch for PPPoE connections (#573)
Package manager (apk)
- apk: update to version 3.0.5 with several OpenWrt-specific bug fixes
- apk: add
–force-reinstalloption to reinstall already-installed packages without requiring a version change
Core component updates
- apk: update from 3.0.2 to 3.0.5
- jsonfilter: update from 2025-10-04 to 2026-03-16 (fixes CVE-2026-30873)
- libubox: update from 2026-02-13 to 2026-03-13 (ABI version stabilized for 25.12 stable series)
- Linux kernel: update from 6.12.71 to 6.12.74
- odhcpd: update from 2026-01-19 to 2026-03-16
- omcproxy: update from 2025-10-04 to 2026-03-07
- procd: update from 2026-02-20 to 2026-03-14 (fixes CVE-2026-30874)
- umdns: update from 2025-10-04 to 2026-02-06 (fixes CVE-2026-30871, CVE-2026-30872)
- ustream-ssl: update from 2025-10-03 to 2026-03-01
OpenWrt 25.12.0 — Stable Release · 5. March 2026
Highlights in OpenWrt 25.12
OpenWrt 25.12.0 incorporates over 4700 commits since branching the previous OpenWrt 24.10 release and has been under development for over one year.
Only the main changes are listed below. See https://openwrt.org/releases/25.12/changelog-25.12.0 for the full changelog.
Honoring Dave Täht
OpenWrt 25.12 is named Dave’s Guitar to honor Dave Täht, who sadly passed away on April 1, 2025.
Dave played a key role in reducing bufferbloat and improving network latency in OpenWrt and across the wider internet. His work made networks faster, more responsive, and more reliable for millions of users.
This release is dedicated to his memory and lasting impact on the networking community.
General changes
The hardware requirements did not change significantly. Most devices supported by OpenWrt 24.10 are also supported in OpenWrt 25.12.
Switch package manager from opkg to apk
OpenWrt has transitioned from the traditional opkg package manager to apk (Alpine Package Keeper).
This change brings several advantages:
- apk is still maintained; the OpenWrt opkg fork is no longer maintained.
apk supports most features of opkg. Only very few package names changed. The command line arguments of apk are different from the command line arguments of opkg.
For users migrating existing systems, an official https://openwrt.org/docs/guide-user/additional-software/opkg-to-apk-cheatsheet is available to ease the transition and map common workflows.
Integration of attended sysupgrade
The https://openwrt.org/docs/guide-user/installation/attended.sysupgrade LuCI application is now installed by default. `owut` is included by default in images for devices with larger flash storage.
ASU allows devices to:
- Upgrade to new OpenWrt firmware versions
- Automatically rebuild firmware images with all currently installed packages
- Preserve system configuration during upgrades
- ASU allows integrating additional installed packages directly into the SquashFS filesystem, which stores packages more efficiently than the overlay filesystem.
This dramatically simplifies upgrades: with just a few clicks in LuCI and a short wait, a custom firmware image is built and installed without manual intervention.
Shell history is preserved
Shell command history is now preserved across sessions by storing it in a RAM-backed filesystem.
Benefits:
- Command history is no longer lost between logins
- No unnecessary writes to flash storage by default
For users who prefer persistent history storage, this behavior can be changed by editing: /etc/profile.d/busybox-history-file.sh
⚠️ Note: Storing history on flash will increase write cycles and may impact flash endurance over time.
Integration of video feed
The OpenWrt video feed with Qt5 and UI applications is integrated by default.
Wi-Fi scripts in ucode
The Wi-Fi scripts were rewritten in ucode. This is part of the rewrite of the management scripts from shell scripts to ucode.
uCode is used for system scripts because it is faster and safer than shell scripts, and integrates directly with ubus and UCI.
Wi-Fi and network management scripts rewritten in uCode run faster, have fewer errors, and are easier to maintain.
Target changes
- Extend the realtek target with support for more switch SoCs like 10G Ethernet switches.
- Extend the qualcommax target with support for ipq50xx and ipq60xx SoCs.
- Added the siflower target for Siflower SF21A6826/SF21H8898 SoCs
- Added the sunxi/arm926ejs subtarget for Allwinner F1C100/200s SoCs
- Added the microchipsw/lan969x target with support for Microchip LAN969x switches.
Many new devices added
OpenWrt 25.12 supports over 2200 devices. Support for over 180 new devices was added in addition to the devices already supported in OpenWrt 24.10. Most devices already supported by OpenWrt 24.10 are still supported.
Core components update
Core components have the following versions in 25.12.0:
- Updated toolchain:
- musl libc 1.2.5
- glibc 2.41
- gcc 14.3.0
- binutils 2.44
- Updated Linux kernel
- 6.12.71 for all targets
- main packages:
- cfg80211/mac80211 from kernel 6.18.7
- hostapd master snapshot from August 2025
- dnsmasq 2.91
- dropbear 2025.89
- busybox 1.37.0
In addition to the listed applications, many others were also updated.
OpenWrt 24.10 end of life
With the release of OpenWrt 25.12 stable series, the OpenWrt 24.10 stable series will go end of life in 6 months. We will not provide security updates for OpenWrt 24.10 after September 2026. We encourage everyone to upgrade to OpenWrt 25.12 before September 2026.