OpenWrt 25.12.4 - Service Release - 14. May 2026

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 25.12.4, r32933-4ccb782af7 Dave's Guitar
 -----------------------------------------------------

The OpenWrt community is proud to announce the newest stable release of the OpenWrt 25.12 stable series.

Download firmware images via the Firmware Selector or directly from our download servers:

An upgrade from OpenWrt 24.10 to OpenWrt 25.12 is supported in many cases with the help of the sysupgrade utility, which will also attempt to preserve the configuration. A configuration backup is advised nonetheless when upgrading to OpenWrt 25.12 (see “Upgrading” below).

About OpenWrt

The OpenWrt Project is a Linux operating system targeting embedded devices. It is a complete replacement for the vendor-supplied firmware of a wide range of wireless routers and non-network devices. See the Table of Hardware for supported devices. For more information about OpenWrt project organization, see the About OpenWrt pages.

Announcements about new releases and security fixes

Do you want to be informed about important changes such as new releases and security fixes?

We have a new mailing list for this, as well as RSS options: see Important changes and announcements.

Main changes between OpenWrt 25.12.3 and OpenWrt 25.12.4

Only the main changes are listed below. See changelog-25.12.4 for the full changelog.

Security fixes

  • dnsmasq: backport six upstream CVE-fix patches to dnsmasq 2.91:
    • CVE-2026-2291: heap buffer overflow in DNS domain-name handling.
    • CVE-2026-4890 / CVE-2026-4891: DNSSEC crashes via crafted NSEC bitmaps / RRSIG packets.
    • CVE-2026-4892: buffer overflow on large DHCPv6 CLIDs (only with --dhcp-script).
    • CVE-2026-4893: broken EDNS Client Subnet validation.
    • CVE-2026-5172: buffer overflow in extract_addresses() on crafted resource records.
  • Linux kernel: CVE-2026-43284 (“Dirty Frag”) — local privilege escalation via the IPsec ESP path. Only relevant on devices with kmod-ipsec / esp4/esp6 loaded. Fixed via the 6.12.87 kernel update.

Device support

New devices supported in 25.12.4:

  • ath79: MikroTik RouterBOARD 960PGS (hEX PoE / PowerBox Pro)
  • mediatek: filogic: Cudy WR3000E v1: add ubootmod variant
  • mediatek: filogic: Cudy WR3000H v1: add ubootmod variant
  • mediatek: filogic: Cudy WR3000P v1: add ubootmod variant
  • mediatek: filogic: Cudy WR3000S v1: add ubootmod variant

Device fixes:

  • ath79: Sitecom WLR-7100 (X7 AC1200): fix MAC address assignment, wire up 5 GHz WLAN LED, and move to the tiny target to free ~800 KiB of flash
  • ipq40xx: Pakedge WR-1: restore lost band label on the WLAN LEDs
  • mediatek: filogic: Cudy WR3000E/H/P/S v1 and WBR3000UAX v1 (ubootmod NAND builds): disable NMBM, which was mistakenly enabled and prevented the NAND from being used correctly
  • microchipsw: fix LAN8814 QSGMII soft reset

WiFi fixes and improvements

  • wifi-scripts: fix basic_rate mapping in the wpa_supplicant ucode generator
  • mac80211: update backports package to 6.18.26 (general stability improvements)

Core component updates

  • Linux kernel: update from 6.12.85 to 6.12.87
  • mac80211: update from 6.18.7 to 6.18.26

Upgrading to 25.12

Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts. For upgrades within the OpenWrt 25.12 stable series, Attended Sysupgrade is also supported, which allows preserving the installed packages.

:!: Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.

:!: Cron log level was fixed in busybox. system.@system[0].cronloglevel should be set to 7 for normal logging. 7 is the default now. If this option is not set, the default is used and no manual action is needed. commit

:!: Bananapi BPI-R4: Interface eth1 was renamed to sfp-lan or lan4, and interface eth2 was renamed to sfp-wan to match the labels. You have to upgrade without saving the configuration. commit

:!: TP-Link RE355 v1, RE450 v1 and RE450 v2: The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use sysupgrade -F to force the upgrade. The image must not exceed 5.875 MB (6016 KiB).

:!: Meraki MX60: Direct sysupgrade to 25.12.4 is not possible without manual preparation — meraki_loadaddr must be changed before upgrading, as the default value is insufficient to boot OpenWrt 25.12+. See the device wiki page for instructions.

Known issues

  • Zyxel EX5601-T0: the WAN interface was renamed from eth1 to wan — check and update your network configuration after upgrading.
  • Pixel 10 phones have problems connecting to WPA3-protected WiFi 6 APs. (#21486)
  • 802.11r Fast Transition (FT) causes connection problems with some WiFi clients when WPA3 is used. (#22200)
  • SQM CAKE MQ (cake_mq): throughput may be unexpectedly low on some configurations after the scheduler fixes in this release. (#22344)

Final notes

As always, a big thank you goes to all our active package maintainers, testers, documenters, and supporters.

Have fun!

The OpenWrt Community

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2026/05/14 21:44
  • by hauke