OpenWrt 25.12.5 - Service Release
Hauke Mehrtens
hauke at hauke-m.de
Tue Jun 30 17:09:46 PDT 2026
Hi,
The OpenWrt community is proud to announce the fifth service release of
the OpenWrt 25.12 stable series.
Download firmware images using the OpenWrt Firmware Selector:
* https://firmware-selector.openwrt.org/?version=25.12.5
Download firmware images directly from our download servers:
* https://downloads.openwrt.org/releases/25.12.5/targets/
Main changes between OpenWrt 25.12.4 and OpenWrt 25.12.5
=========================================================
Only the main changes are listed below. See the [full
changelog](https://openwrt.org/releases/25.12/changelog-25.12.5) for
details.
Security fixes
==============
This release fixes several remotely triggerable vulnerabilities in core
network services that are enabled by default. Updating is strongly
recommended.
* **odhcpd (DHCPv6/DHCPv4/RA server, enabled by default):** multiple
vulnerabilities reachable by a network-adjacent attacker were fixed by
updating odhcpd:
* **CVE-2026-53921** (Critical): stack buffer overflow in the
DHCPv6 IA reply serialization, triggerable with crafted DHCPv6 REQUEST
packets.
https://github.com/openwrt/odhcpd/security/advisories/GHSA-7fwx-hhrg-3496
* **CVE-2026-53918** (High): use-after-free in the DHCPv6 IA
handler.
https://github.com/openwrt/odhcpd/security/advisories/GHSA-44ff-jcwh-wgc2
* **CVE-2026-53920** (High): stack memory disclosure via a
truncated DHCPv6 IA_NA/IA_PD option.
https://github.com/openwrt/odhcpd/security/advisories/GHSA-p769-5v73-pc4f
* **CVE-2026-53922** (Moderate): pre-auth denial of service via a
size_t underflow in DHCPv6 IA handling.
https://github.com/openwrt/odhcpd/security/advisories/GHSA-7hcw-g2jh-pqv5
* **CVE-2026-55606** (Moderate): stack buffer overread caused by a
DUID length endianness mismatch.
https://github.com/openwrt/odhcpd/security/advisories/GHSA-x8x4-7gvf-gp45
* **No CVE assigned** (Moderate, CVSS 5.4): the NDP relay accepted
IPv6 Neighbor Solicitations with a hop limit other than 255 (RFC 4861
violation), letting an off-link attacker spoof NS packets through the
relay (neighbor-cache poisoning, traffic redirection or DoS). Only
relevant when the NDP relay is enabled.
https://github.com/openwrt/odhcpd/security/advisories/GHSA-qvg7-9jf5-wgjc
* **odhcpd / LuCI stored XSS** (Critical): an unauthenticated DHCPv6
client could inject lease-file lines through a crafted FQDN hostname,
resulting in stored cross-site scripting on the LuCI DHCPv6 leases
status page. Fixed by escaping client hostnames in the lease state file.
https://github.com/openwrt/openwrt/security/advisories/GHSA-hhmc-92hw-535f
* **uhttpd (web server):** three HTTP request smuggling issues on
keep-alive connections were fixed:
* **CVE-2026-55612** (High): invalid chunk-length state reset.
https://github.com/openwrt/uhttpd/security/advisories/GHSA-p55c-rmhc-qfm5
* **CVE-2026-55614** (High): case-sensitive Transfer-Encoding
matching.
https://github.com/openwrt/uhttpd/security/advisories/GHSA-mcfg-c4r7-pjpf
* **CVE-2026-55613** (Moderate): ubus POST body parse-error desync.
https://github.com/openwrt/uhttpd/security/advisories/GHSA-wgwp-64hh-f52p
* **cgi-io: ACL bypass / arbitrary file read** (Moderate): a
path-traversal flaw in the cgi-download handler let an authenticated
user with wildcard read permission read any root-readable file (e.g.
`/etc/shadow`).
https://github.com/openwrt/openwrt/security/advisories/GHSA-jw5r-xhf5-2xcq
* **LuCI (web interface):** a set of issues in LuCI core modules and
applications were fixed. Most let a logged-in user with limited
(delegated) permissions escalate to root command execution; a few are
stored XSS issues reachable by clients on the network. The
privilege-escalation issues only apply if the affected app is installed
and the account/ACL in question exists:
* **luci-app-tailscale-community** (Critical, CVSS 9.9): command
injection allowing delegated users to run commands as root via
`tailscale.do_login`.
https://github.com/openwrt/luci/security/advisories/GHSA-xwc5-mx58-rh35
* **luci-app-advanced-reboot** (High): **CVE-2026-55897** — a read
ACL exposes `/bin/sh` via `file.exec`, allowing delegated users to run
commands as root.
https://github.com/openwrt/luci/security/advisories/GHSA-vj96-f37g-37f6
* **luci-app-adblock-fast** (High): **CVE-2026-55159** — delegated
users can reach root command execution via newline-separated cron
entries.
https://github.com/openwrt/luci/security/advisories/GHSA-ggpf-xrph-wg5v
* **luci-app-samba4** (High): a read ACL allows authenticated root
command execution via the smbd `file.exec` permission.
https://github.com/openwrt/luci/security/advisories/GHSA-vx64-mmp7-h36c
* **luci-app-travelmate** (High): a delegated UCI write can execute
the travelmate auto-login command as root.
https://github.com/openwrt/luci/security/advisories/GHSA-p35r-3323-6g7g
* **luci-app-upnp** (High): stored XSS — an unauthenticated LAN
client can inject JavaScript via a UPnP port-mapping description.
https://github.com/openwrt/luci/security/advisories/GHSA-8v49-6387-7f89
* **luci-mod-network / luci-mod-status** (High): stored XSS via a
DHCPv6 lease hostname (FQDN) shown in the status tables.
https://github.com/openwrt/luci/security/advisories/GHSA-686p-p8p9-x6fh
* **luci-app-banip** (High): a crafted LuCI login username can
inject an arbitrary IP into banIP's log parser, causing the wrong
address to be blocked.
https://github.com/openwrt/luci/security/advisories/GHSA-r6hx-4f83-vp8m
* **ead (Emergency Access Daemon): CVE-2026-55490** (Moderate): an
integer underflow in `handle_send_a()` allowed a pre-auth denial of
service.
https://github.com/openwrt/openwrt/security/advisories/GHSA-9558-77jp-g3fw
* **Linux kernel: update to 6.12.94**, pulling in the upstream
6.12.88 through 6.12.94 stable releases, which fix multiple security
vulnerabilities, such as CVE-2026-43500.
* **OpenSSL: update to 3.5.7**, fixing multiple security
vulnerabilities (CVE-2026-7383, CVE-2026-9076, CVE-2026-34180,
CVE-2026-34181, CVE-2026-34182, CVE-2026-34183, CVE-2026-42764,
CVE-2026-42766, CVE-2026-42767, CVE-2026-42768, CVE-2026-42769,
CVE-2026-42770, CVE-2026-45445, CVE-2026-45446, CVE-2026-45447).
* **musl libc:** backport upstream fixes for CVE-2026-6042 and
CVE-2026-40200.
* **dropbear (SSH):** backport security fixes from upstream 2026.90
and 2026.91, including CVE-2019-6111 (a malicious server could trick the
scp client into overwriting arbitrary local files) and CVE-2026-35385.
Beyond the issues listed above, this release fixes a number of further
security problems for which no CVE number or dedicated advisory was
assigned. We **strongly recommend upgrading to the latest OpenWrt
release and installing all available package updates**.
Device support
==============
New devices supported in 25.12.5:
* ipq40xx: Linksys MR9000
* mediatek (filogic): GL.iNET GL-MT3600BE
* mediatek (filogic): Huasifei WH3000R (NAND)
* mediatek (filogic): JioRouter AX6000 (JIDU6101)
* mediatek (filogic): netis EAP930 V1
* mediatek (filogic): netis MEX605
* mediatek (filogic): TP-Link F65 v1
* mediatek (filogic): Zbtlink ZBT-Z8106AX-S
* mvebu: Zyxel NAS326
* ramips (mt76x8): Cudy WR300 v1
* ramips (mt7621): I-O DATA WN-AX2033GR2
New image variants for already supported devices:
* mediatek (filogic): Qihoo 360T7 - add UBI layout image
* mediatek (filogic): Creatlentem CLT-R30B1 - add all-in-UBI layout image
* mediatek (filogic): Bazis AX3000WM - also recognized under its
alternative name WD-R3000N-G2A
Device fixes:
* ath79: MikroTik - build `AG71XX_LEGACY` as a module, fixing
AR8216/AR8236/AR8316 switch bring-up on boot on some MikroTik devices
(https://github.com/openwrt/openwrt/issues/23739)
* mediatek: do not let devfreq power off the CPU (stability fix)
* mediatek (filogic): Wavlink WL-WN536AX6 rev A - several fixes
(correct 5 GHz MAC address, MAC-address nvmem layout, NAND bad-block
management, SPI drive strength, network LED)
* mediatek (filogic): Qihoo 360T7 - fix DDR3 rate
* ramips: PAX1800 Lite - fix label MAC device and avoid attaching
both UBI partitions on boot
* ramips (mt76x8): Cudy LT300 v3 - fix backup partition offset
* rtl8367b: fix RTL8367S-VB VLAN multicast memory handling
* mvebu: uDPU / eDPU - convert to dual (A/B) firmware
* ipq806x: AP3935 - disable hibernation on LAN1
* airoha (an7581): platform improvements and upstream networking fixes
WiFi fixes and improvements
============================
* wifi-scripts: fix a null dereference on 6 GHz-only radios
* wifi-scripts: fix EAP (802.1X) station mode in the wpa_supplicant
configuration generator
* wifi-scripts: fix tracking of disabled virtual interfaces
* hostapd: fix a misplaced radar-detected (DFS) ubus notification
Network and service improvements
=================================
* New "network" LED trigger (lan/wan/wlan) for link and activity
indication on supported devices
* odhcpd and odhcp6c received many DHCPv6/DHCPv4 and IPv6
prefix-delegation correctness and robustness fixes, on top of the
security fixes listed above, including more stable DHCPv6 IAID handling
* More robust handling of invalid DHCP / DHCPv6 client identifiers
* ubus, rpcd, uhttpd, umdns, uclient and fstools updated with
stability and hardening fixes
Core component updates
=======================
* Linux kernel: update from 6.12.87 to 6.12.94
* OpenSSL: update from 3.5.6 to 3.5.7 (multiple security fixes, see
above)
* wireless-regdb: update from 2026.03.18 to 2026.05.30
* dnsmasq: update from 2.91 to 2.93
* ca-certificates: update from 20260223 to 20260601 (refreshed root
CA bundle)
* util-linux: update from 2.41.3 to 2.41.5
Upgrading to 25.12.5
=====================
Upgrading from 24.10 to 25.12 should be transparent on most devices, as
most configuration data has either remained the same or will be
translated correctly on first boot by the package init scripts.
For upgrades within the OpenWrt 25.12 stable series, [Attended
Sysupgrade](https://openwrt.org/docs/guide-user/installation/attended.sysupgrade)
is also supported, which allows preserving the installed packages.
* Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.
* Cron log level was fixed in busybox.
`system. at system[0].cronloglevel` should be set to `7` for normal
logging. `7` is the default now. If this option is not set, the default
is used and no manual action is needed.
https://github.com/openwrt/openwrt/commit/fc0c518a88e68d3deef04bec73b33d35186d6546
* Bananapi BPI-R4: Interface `eth1` was renamed to `sfp-lan` or
`lan4`, and interface `eth2` was renamed to `sfp-wan` to match the
labels. You have to upgrade without saving the configuration.
https://github.com/openwrt/openwrt/commit/cd8dcfef378044a1687adfa3738f01f9a9622baf
* **TP-Link RE355 v1, RE450 v1 and RE450 v2:** The partition layout
and block size changed in this release to fix configuration loss on
sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use
`sysupgrade -F` to force the upgrade. The image must not exceed 5.875 MB
(6016 KiB).
* **Meraki MX60:** Direct sysupgrade to 25.12.5 is not possible
without manual preparation — `meraki_loadaddr` must be changed before
upgrading, as the default value is insufficient to boot OpenWrt 25.12+.
See the device wiki page for instructions.
* **Sitecom WLR-7100 (X7 AC1200):** This device was moved from the
`ath79/generic` target to the `ath79/tiny` target in OpenWrt 25.12.4.
Users upgrading from 25.12.3 or earlier need to flash the new image from
the `ath79/tiny` target (use `sysupgrade -F`).
Known issues
============
* Zyxel EX5601-T0: the WAN interface was renamed from `eth1` to `wan`
— check and update your network configuration after upgrading.
* Pixel 10 phones have problems connecting to WPA3-protected WiFi 6
APs. https://github.com/openwrt/openwrt/issues/21486
* 802.11r Fast Transition (FT) causes connection problems with some
WiFi clients when WPA3 is used.
https://github.com/openwrt/openwrt/issues/22200
* SQM CAKE MQ (`cake_mq`): throughput may be unexpectedly low on some
configurations after the scheduler fixes in this release.
https://github.com/openwrt/openwrt/issues/22344
-----------------
Full release notes and upgrade instructions are available at
https://openwrt.org/releases/25.12/notes-25.12.5
In particular, make sure to read the known issues before upgrading:
https://openwrt.org/releases/25.12/notes-25.12.5#known_issues
For a detailed list of all changes, refer to
https://openwrt.org/releases/25.12/changelog-25.12.5
To download the 25.12.5 images, navigate to:
https://downloads.openwrt.org/releases/25.12.5/targets/
Use OpenWrt Firmware Selector to download:
https://firmware-selector.openwrt.org?version=25.12.5
As always, a big thank you goes to all our active package maintainers,
testers, documenters and supporters.
Have fun!
The OpenWrt Community
---
To stay informed of new OpenWrt releases and security advisories, there
are new channels available:
* a low-volume mailing list for important announcements:
https://lists.openwrt.org/mailman/listinfo/openwrt-announce
* a dedicated "announcements" section in the forum:
https://forum.openwrt.org/c/announcements/14
* other announcement channels (such as RSS feeds) might be added in
the future, they will be listed at https://openwrt.org/contact
More information about the openwrt-devel
mailing list