OpenWrt 23.05.3 - Service Release


The OpenWrt community is proud to announce the newest stable release of the OpenWrt 23.05 stable series. It improves device support and brings a few bug fixes including security fixes.

Download firmware images using the OpenWrt Firmware Selector:

Download firmware images directly from our download servers:

Main changes between OpenWrt 23.05.2 and OpenWrt 23.05.3

Security fixes

  • CVE-2023-36328: dropbear: Integer Overflow vulnerability in mp_grow in libtommath
  • CVE-2023-48795: dropbear: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted
  • CVE-2023-50868: dnsmasq: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack

Device support

  • Support for the following devices was added:
    • ath79: UniFi UK-Ultra
    • mediatek: Acelink EW-7886CAX
    • mediatek: ASUS RT-AX59U
    • mediatek: ASUS TUF AX6000
    • mediatek: Buffalo WSR-3200AX4S
    • mediatek: Cetron CT3003
    • mediatek: Confiabits MT7981
    • mediatek: Cudy RE3000 v1
    • mediatek: D-Link EAGLE PRO AI M32
    • mediatek: GL.iNet GL-MT6000
    • mediatek: JCG Q30 PRO
    • mediatek: Routerich AX3000
    • mediatek: TP-Link EAP225v5
    • mediatek: Ubiquiti UniFi 6 Plus
    • mediatek: Zbtlink ZBT-Z8102AX
    • mediatek: ZyXEL EX5700 (Telenor)
    • ramips: Cudy WR1300 v3
    • ramips: D-Link COVR-X1860 A1
    • ramips: Rostelecom RT-FE-1A
    • ramips: Rostelecom RT-FL-1 (Serсomm RT-FL-1)
    • ramips: Rostelecom S1010 (Serсomm S1010.RT)
    • ramips: TP-Link EX220 v1
    • ramips: YunCore G720
    • ramips: Z-ROUTER ZR-2660
  • ath79: Nanostation Loco M5 XW: Fix read only jffs2 partition
  • ath79: TP-Link TL-WDR3600 and TL-WDR4300: Fix spurious reboot hangs
  • ath79: ubnt-bullet-m-xw: fix Ethernet PHY traffic
  • ipq807x: edgecore EAP102: fix lan/wan
  • kirkwood: Ctera C200 V1: fix ubi part name
  • lantiq: xway: disable SMP: fix boot on some Danube boards and NAT performance
  • mediatek: MT7981/MT7986: fix Ethernet rx hang issue
  • meidatek: Mercusys MR90X v1: fix eeprom loading
  • mpc85xx: Extreme Networks WS-AP3825i: increase available RAM
  • mvebu: IEI-World Puzzle M90x: fix RTC
  • ramips: improve mtk_eth_soc resets
  • ramips: rt305x: Use default uart in lzma-loader
  • ramips: Sercomm NA502: Fix bootup problem
  • ramips: Unielec u7621-01: Correct the PCIe port number
  • realtek: d-link dgs-1210-10p: improve sfp support
  • realtek: Netgear GS110TPP: fix OEM install
  • rockchip: Orange Pi R1 Plus LTS: improve Ethernet stability

Various fixes and improvements

  • mt76: Add mt7922 firmware
  • mwlwifi: Add support for WPA3
  • dropbear: Increase scp transfer speed
  • kernel: fix bridge proxyarp issue with some broken DHCP clients
  • mac80211: fix min_tx_power setting
  • kernel: add Aquantia PHY firmware loader patches
  • hostapd: fix FILS AKM selection with EAP-192
  • hostapd: fix 11r defaults when using SAE
  • hostapd: fix 11r defaults when using WPA
  • hostapd: ACS: Fix typo in bw_40 frequency array on channel 118

Core components update

  • Update Linux from 5.15.137 to 5.15.150
  • Update mwlwifi from 2023-04-29 to 2023-11-20
  • Update mt76 from 2023-08-14 to 2023-09-11
  • Update netifd from 2023-11-10 to 2024-01-04
  • Update jsonfilter from 2018-02-04 to 2024-01-23
  • Update bcm27xx-gpu-fw from 2022-05-16 to 2024-01-11
  • Update mbedtls from 2.28.5 to 2.28.7
  • Update openssl from 3.0.12 to 3.0.13
  • Update wireless-regdb from 2023.09.01 to 2024.01.23
  • Update intel-microcode from 20230808 to 20240312
  • Update dnsmasq from 2.89 to 2.90

Upgrading to 23.05.3

Sysupgrade can be used to upgrade a device from 22.03 to 23.05, and configuration will be preserved in most cases.

  • Sysupgrade from 21.02 to 23.05 is not officially supported.
  • ipq40xx EA6350v3, EA8300, MR8300 and WHW01 require tweak to the U-Boot environment on update from 22.03 to 23.05. Refer to the Device wiki or the instruction on sysupgrade on how to do this change. Config needs to be reset on sysupgrade.

Known issues

  • lantiq/xrx200 target shows error messages in DSA switch configuration of the integrated GSWIP switch. (see:
  • OpenWrt 23.05.3 was signed with the wrong signing keys. The keys from OpenWrt snapshot were used for OpenWrt 23.05.3, OpenWrt 23.05.2, OpenWrt 23.05.0 and the release candidates. A later OpenWrt 23.05 service release will use a different key.

See up to date information here:

Full release notes and upgrade instructions are available at

In particular, make sure to read the regressions and known issues before upgrading:

For a detailed list of all changes since 23.05.2, refer to

To download the 23.05.3 images, navigate to:
Use OpenWrt Firmware Selector to download:

As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters.

Have fun!

The OpenWrt Community

To stay informed of new OpenWrt releases and security advisories, there are new channels available:


Is it safe to download and install now? Wrt3200acm

Linksys E8450 (UBI): sysupgrade to 23.05.3 successful. Thank you all who contributed to this release.


Is there anyone looking at updating the release process/workflow to get this right? Or is there a reason to keep using the same key?


Thanks to all the OpenWrt contributors. :slight_smile:

The Attended Sysupgrade server still knows nothing about this new release.

Thanks to everyone who worked on the release!

sysupgrade keeping configuration from .2 to .3 on a Buffalo WZR-HP-AG300H seems good so far.

Edit next day: Also upgraded the main router, a Netgear WAX206. No apparent regressions there either. Several AP interfaces on 5GHz and 2.4GHz, and a mesh on 2.4GHz as well. Also SQM (cake/piece_of_cake) on WAN.

I built using a local imagebuilder. It looks like luci-ssl was not included by default - I had to explicitly add it to PACKAGES. I can't remember, is that how it should be for official releases and imagebuilder?

Thanks people.

You guys rock!!! :+1:

Netgear WAX206 upgraded with no issues. Thanks to all for the effort!

1 Like

No one working on this as far as I know.

1 Like

TP-Link TL-WR1043ND v3 updated from 23.05.2 to 23.05.3.
PPPoE download speed still VERY slow: DL: 180 / UL: 320 Mbps.

Just did successful sysupgrades on my main router, a PC Engines APU4D4 running Generic x86/64 combined EFI squashfs, and a wifi hotspot, a Ubiquiti UniFi 6 LR v1 behind it, while preserving the existing settings on both devices. I later installed the optional packages I had on the APU4D4 via SSH, and everything's still running smoothly.

Cheers for the upgrade!

Re-posting what I've discovered on the weekend already. Upgrading from 23.05.2 wireless interfaces fail to start due to unknown configuration items: wnm_sleep_mode, wnm_sleep_mode_no_keys, bss_transition.
The whole section got removed from the LUCI roaming settings. This deserves a huge warning as it may result in devices being inaccessible!


Fri Mar 22 23:10:10 2024 daemon.err hostapd: Line 80: unknown configuration item 'wnm_sleep_mode'
Fri Mar 22 23:10:10 2024 daemon.err hostapd: Line 81: unknown configuration item 'wnm_sleep_mode_no_keys'
Fri Mar 22 23:10:10 2024 daemon.err hostapd: Line 82: unknown configuration item 'bss_transition'
Fri Mar 22 23:10:10 2024 daemon.err hostapd: 3 errors found in configuration file ''
Fri Mar 22 23:10:10 2024 daemon.err hostapd: Failed to set up interface with data: driver=nl80211 logger_syslog=127 logger_syslog_level=2 logger_stdout=127 logger_stdout_level=2 country_code=DE ieee80211d=1 hw_mode=g supported_rates=60 90 120 180 240 360 480 540 basic_rates=60 120 240 beacon_int=100 chanlist=13 #num_global_macaddr=1 ieee80211n=1 ht_coex=0 ht_capab=[HT40-][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935] ieee80211ax=1 he_su_beamformer=1 he_su_beamformee=1 he_mu_beamformer=1 he_bss_color=8 he_spr_sr_control=3 he_default_pe_duration=4 he_rts_threshold=1023 he_mu_edca_qos_info_param_count=0 he_mu_edca_qos_info_q_ack=0 he_mu_edca_qos_info_queue_request=0 he_mu_edca_qos_info_txop_request=0 he_mu_edca_ac_be_aifsn=8 he_mu_edca_ac_be_aci=0 he_mu_edca_ac_be_ecwmin=9 he_mu_edca_ac_be_ecwmax=10 he_mu_edca_ac_be_timer=255 he_mu_edca_ac_bk_aifsn=15 he_mu_edca_ac_bk_aci=1 he_mu_edca_ac_bk_ecwmin=9 he_mu_edca_ac_bk_ecwmax=10 he_mu_edca_ac_bk_timer=255 he_mu_edca_ac_vi_ecwmin=5 he_mu_edca_ac_vi_ecwmax=7 he
Fri Mar 22 23:10:10 2024 daemon.notice hostapd: hostapd.add_iface failed for phy phy0 ifname=phy0-ap0


Thanks to all devs, congrats on the release!

edit: WRT32X: updated to 23.05.3, easy upgrade! GL-MT6000: keeping on recent snapshots.

The docs say those options require the full version of hostapd or wpad.


Itus shield (octeon) router and Extreme Networks WS-AP3825I AP's upgraded without issue.

I'll flash more devices this week...

Irrelevant, time_advertisement and time_zone don't cause issues when wpad is downgraded. Unknown and unused configuration items should not make your device inaccessible.

PPPoE is always (a lot) slower than normal routing.

Devices in Ath79 target are slow - mostly single core and up to 1GHz.

I can't handle gigabit PPPoE on anything but Filogic 880 or x86.

1 Like