OpenWrt

Security

This page covers the project’s security policy: how to report a vulnerability, which releases are still receiving security fixes, the tools used to identify problems, and how fixes reach end users. It applies to the OpenWrt distribution and to project-maintained components such as procd, ubus, and libubox.

Reporting a vulnerability

Send security bug reports in confidence to contact@openwrt.org. The mailbox is monitored, but not always promptly. If you do not receive an acknowledgement within a reasonable time and the issue is severe, send a short note to the public mailing list openwrt-adm@lists.openwrt.org saying that a vulnerability has been reported privately and indicating its general severity. Do not include exploitation details, the vulnerable component, or proof-of-concept code in the public message.

Note: the openwrt-adm list rejects HTML mail. Configure your client to send plaintext.

For non-security bugs, see Reporting bugs.

Supported releases

OpenWrt provides security fixes only for the most recent two stable series. The status of each release is one of:

  • Supported — both security fixes and other bug fixes are issued.
  • Security maintenance — only security fixes are issued.
  • End of life (EoL) — no further updates, including for severe vulnerabilities. Upgrade.

A new major release enters Supported status. When the next major release ships, the previous one drops to Security maintenance. A release reaches EoL one year after its initial release, or six months after its successor ships, whichever is later. A final minor release is normally cut at the end of the support cycle.

SeriesStatusInitial releaseLatest minorLatest release dateEoL (projected)
25.12Supported2026-03-0625.12.32026-04-06TBD
24.10Security maintenance2025-02-0624.10.62026-03-182026-09
23.05End of life2023-10-1323.05.62025-08-202025-08
22.03End of life2022-09-0622.03.72024-07-252024-07
21.02End of life2021-09-0421.02.72023-05-012023-05
19.07End of life2020-01-0619.07.102022-04-202022-04
18.06End of life2018-07-3118.06.92020-12-092020-12
17.01End of life2017-02-2217.01.72019-06-202019-06

Caveats:

  • This timeline covers the core OpenWrt repository. External package feeds (hosted on GitHub) follow their own maintainer policies and may not support every release that the project itself still supports.
  • Devices should run the latest stable release for the best security posture.

Advisories

Vulnerabilities in components maintained by the OpenWrt project are tracked at /advisories/. Each entry has affected versions, the fix landing point, and credits.

Additional advisories are published as GitHub Security Advisories on the relevant repositories under github.com/openwrt — notably openwrt/asu, where issues affecting Attended SysUpgrade are coordinated. When such a GitHub advisory affects shipped OpenWrt builds, it is mirrored to /advisories/ as well; otherwise the GitHub repo is the authoritative source.

The list covers project-maintained components only; fixes for third-party components are backported into supported releases when they affect OpenWrt, but are not enumerated here.

DateCVESummary
CVE-2025-14282Dropbear privilege escalation via Unix domain socket forwarding
CVE-2025-62526ubusd: heap buffer overflow
CVE-2025-62525ltq-ptm: local privilege escalation
CVE-2024-54143OpenWrt Attended SysUpgrade server: Build artifact poisoning via truncated SHA-256 hash and command injection
CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722Multiple issues in mac80211 and cfg80211

All advisories (24) →

How problems get found

The project uses a number of tools to surface security issues. Output from each is public — fixes from anyone are welcome.

  • uscan report. Compares the package version in the OpenWrt tree against upstream releases and cross-references the CPE declared in each package’s PKG_CPE_ID against published CVEs. Updated weekly for main and the active release branches.
  • Coverity Scan. Static analysis runs once a week against the OpenWrt build and reports defects in project-maintained components (procd, ubus, etc.). Findings on patched third-party components are not reported.
  • Reproducible builds. Independent rebuilds verify that the published release artifacts match the source — a check against build-system tampering and accidental backdoors.

How fixes reach users

The project runs buildbot instances that continuously build snapshots of main and each supported release branch. When a fix lands in a package, the buildbot rebuilds it; the new package becomes installable via opkg and via the Attended SysUpgrade flow within roughly two days.

The kernel and kernel modules are not updatable through this path because the kernel lives in its own partition and is part of the firmware image. Kernel security fixes ship as a new minor release.

Hardening build flags

OpenWrt enables a number of compile-time hardening options for all package builds. Individual packages or targets may opt out.

.config symbolDefaultEffect
CONFIG_PKG_CHECK_FORMAT_SECURITY=yyes-Wformat -Werror=format-security
CONFIG_PKG_CC_STACKPROTECTOR_REGULAR=yyes-fstack-protector
CONFIG_PKG_CC_STACKPROTECTOR_STRONG=yno-fstack-protector-strong
CONFIG_KERNEL_CC_STACKPROTECTOR_REGULAR=yyesKernel CONFIG_STACKPROTECTOR
CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=ynoKernel CONFIG_STACKPROTECTOR_STRONG
CONFIG_PKG_FORTIFY_SOURCE_1=yyes-D_FORTIFY_SOURCE=1 (uses fortify-headers on musl)
CONFIG_PKG_FORTIFY_SOURCE_2=yno-D_FORTIFY_SOURCE=2 (uses fortify-headers on musl)
CONFIG_PKG_RELRO_FULL=yyes-Wl,-z,now -Wl,-z,relro
CONFIG_PKG_ASLR_PIE_REGULAR=yyes-fPIC plus -specs=hardened-build-ld. PIE is enabled for selected (mostly network-exposed) binaries.
CONFIG_PKG_ASLR_PIE_ALL=ynoPIE for all binaries.
CONFIG_KERNEL_SECCOMPyesKernel CONFIG_SECCOMP
CONFIG_SELINUXnoKernel SECURITY_SELINUX

Subscribing