OpenWrt 25.12.1 - Service Release

Release and security announcements
1

Hi,

The OpenWrt community is proud to announce the first service release of the OpenWrt 25.12 stable series.

Download firmware images using the OpenWrt Firmware Selector:

Download firmware images directly from our download servers:

Main changes between OpenWrt 25.12.0 and OpenWrt 25.12.1

Only the main changes are listed below. See the full changelog for details.

Security fixes

OpenWrt components (Trail of Bits audit, February 2026):

  • CVE-2026-30871: Stack buffer overflow in umdns DNS PTR query handling (HIGH)
  • CVE-2026-30872: Stack buffer overflow in umdns IPv6 reverse DNS lookup (HIGH)
  • CVE-2026-30873: Memory leak in jsonpath when processing strings, labels, and regexp tokens (LOW)
  • CVE-2026-30874: Command execution via PATH environment variable filter bypass in procd (LOW)

LuCI:

  • CVE-2026-32721: Possible XSS attack via malicious SSID in LuCI WiFi scan modal (HIGH)

Additional hardening from the same Trail of Bits audit (no CVE assigned):

  • odhcpd: fix stack buffer overflow in DHCPv6 Identity Association logging
  • procd: fix out-of-bounds write in cgroup path building and cgroup rule application

Device support

  • airoha: fix EN7581 PCIe initialization and add x2 (2-lane) link support — improves PCIe reliability and unlocks full bandwidth for affected devices
  • ath79: TP-Link RE355 v1, RE450 v1/v2: fix partition alignment to prevent configuration loss on sysupgrade
  • ipq40xx: Devolo Magic 2 WiFi next: enable device support
  • ipq40xx: re-enable MeshPoint.One target
  • ipq806x: AP3935: fix U-Boot NVMEM layout
  • lantiq: fix GPIO expander clock (gpio-stp-xway) — restores correct LED and GPIO behaviour on affected devices
  • lantiq: fix missing WAN MAC address assignment on some devices
  • mediatek: Cudy M3000: add support for hardware variant with Motorcomm YT8821 PHY (previously only the Realtek PHY variant was supported)
  • mediatek: TP-Link BE450: fix 10GbE PHY reset timing that caused intermittent boot stalls, add missing WLAN toggle button, fix reported memory size
  • microchipsw: Novarq Tactical 1000: fix swapped SFP I2C buses for ports 1 and 3 — fixes SFP EEPROM read failures
  • ramips: Keenetic KN-1910: fix sysupgrade functionality
  • realtek: RTL838x-based switches: fix non-functional reboot
  • treewide: Linksys devices: fix MAC address assignment

WiFi fixes and improvements

  • mac80211: fix crash triggered by Channel Switch Announcement (CSA) when AP VLAN interfaces are in use
  • mt76: add MT7990 firmware support (new MediaTek WiFi 7 chipset)
  • mt76: mt7915: fix power save mode handling
  • mt76: mt7921/MT7902: add MT7902e MCU and DMA layout support
  • mt76: mt7996/mt7992: fix crash in transmit path, fix out-of-bounds access during hardware restart, improve MLO/CSA and radar detection support
  • wifi-scripts: fix incorrect VHT160 capability advertisement — was incorrectly set on non-160 MHz AP configurations, degrading station upload speed (https://github.com/openwrt/openwrt/issues/22435)
  • wifi-scripts: fix malformed wpa_supplicant config when 802.1X EAP credentials (identity, password, certificates) contain spaces (https://github.com/openwrt/openwrt/issues/22212)

Web interface (LuCI) and system fixes

  • luci-mod-network: fix XSS vulnerability in WiFi scan modal (CVE-2026-32721)
  • ustream-ssl (OpenSSL variant): fix use-after-free crash causing uhttpd (the LuCI web server) to crash under high load (https://github.com/openwrt/openwrt/issues/19349)

Networking and system fixes

  • firewall4: set as the preferred firewall package over the legacy firewall package
  • iptables: prefer the nftables-backed variants (iptables-nft, ip6tables-nft) when iptables is pulled in as a dependency
  • kernel: CAKE QoS scheduler fixes — avoid unnecessary synchronization overhead when running without a rate limit, fix DiffServ rate scaling
  • kernel: SFP: improve Huawei MA5671a module support — module is now accessible even when no fiber is connected
  • odhcpd: fix segfault when disabling a DHCP interface, fix DHCPv4 lease tree corruption, fix truncated field in DHCPv6 lease queries, fix DNS search list padding
  • ppp: fix potential memory safety issue (undefined behavior in memcpy with overlapping buffers); remove the MRU limit patch for PPPoE connections (https://github.com/ppp-project/ppp/pull/573)

Package manager (apk)

  • apk: update to version 3.0.5 with several OpenWrt-specific bug fixes
  • apk: add --force-reinstall option to reinstall already-installed packages without requiring a version change

Core component updates

  • apk: update from 3.0.2 to 3.0.5
  • jsonfilter: update from 2025-10-04 to 2026-03-16 (fixes CVE-2026-30873)
  • libubox: update from 2026-02-13 to 2026-03-13 (ABI version stabilized for 25.12 stable series)
  • Linux kernel: update from 6.12.71 to 6.12.74
  • odhcpd: update from 2026-01-19 to 2026-03-16
  • omcproxy: update from 2025-10-04 to 2026-03-07
  • procd: update from 2026-02-20 to 2026-03-14 (fixes CVE-2026-30874)
  • umdns: update from 2025-10-04 to 2026-02-06 (fixes CVE-2026-30871, CVE-2026-30872)
  • ustream-ssl: update from 2025-10-03 to 2026-03-01

Upgrading to 25.12.1

Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts.
For upgrades within the OpenWrt 25.12 stable series, Attended Sysupgrade is also supported, which allows preserving the installed packages.

  • Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.

  • Cron log level was fixed in busybox. system.@system[0].cronloglevel should be set to 7 for normal logging. 7 is the default now. If this option is not set, the default is used and no manual action is needed. https://github.com/openwrt/openwrt/commit/fc0c518a88e68d3deef04bec73b33d35186d6546

  • Bananapi BPI-R4: Interface eth1 was renamed to sfp-lan or lan4, and interface eth2 was renamed to sfp-wan to match the labels. You have to upgrade without saving the configuration. https://github.com/openwrt/openwrt/commit/cd8dcfef378044a1687adfa3738f01f9a9622baf

  • TP-Link RE355 v1, RE450 v1 and RE450 v2: The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use sysupgrade -F to force the upgrade. The image must not exceed 5.875 MB (6016 KiB).

Known issues

Full release notes and upgrade instructions are available at
https://openwrt.org/releases/25.12/notes-25.12.1

In particular, make sure to read the known issues before upgrading:
https://openwrt.org/releases/25.12/notes-25.12.1#known_issues

For a detailed list of all changes, refer to
https://openwrt.org/releases/25.12/changelog-25.12.1

To download the 25.12.1 images, navigate to:
https://downloads.openwrt.org/releases/25.12.1/targets/
Use OpenWrt Firmware Selector to download:
https://firmware-selector.openwrt.org?version=25.12.1

As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters.

Have fun!

The OpenWrt Community

To stay informed of new OpenWrt releases and security advisories, there
are new channels available:

28 Likes
OpenWrt 25.12.0 - Stable Release
2

The 25.12.1 (and 24.10.6) builds went very smoothly, all tests with ASU clients ran first try without issue.

If you encounter issues with ASU upgrades, please report them on the respective client threads:

5 Likes
4

Updated on my GL-MT6000, added lots of packages. Very smooth sysupgrade. Great to the see the new mt76 wifi driver included for this target too. Thanks a ton devs!

EDIT: Ok on my second MT6000 tried to flash sysupgrade the traditional way on LuCI and this error came up. Any insight? I downloaded it twice to be sure. EDIT2: it's fixed thanks to guidance below.

Screenshot 2026-03-18 200346
Screenshot 2026-03-18 2003461578Ă—873 78.7 KB

3 Likes
5

I'm still having connection problems and slowness on a Galaxy S22+ connected to an MR70X v1.

6

Good evening all, thank you for the latest release. I was prepping to update an x86_64 device with imagebuilder, which does not appear to be working. This error pops up regardless of the command:

make info

/home/user/openwrt-imagebuilder-25.12.1-x86-64.Linux-x86_64/include/kernel-version.mk:11: *** Missing kernel version/hash file for . Please create /home/user/openwrt-imagebuilder-25.12.1-x86-64.Linux-x86_64/target/linux/generic/kernel-.  Stop.

The file in the error is present:

ls -al /home/user/openwrt-imagebuilder-25.12.1-x86-64.Linux
-x86_64/target/linux/generic/kernel-*

-rw-r--r-- 1 user user 118 Mar 16 21:31 /home/user/openwrt-imagebuilder-25.12.1-x86-64.Linux-x86_64/target/linux/generic/kernel-6.12

cat /home/user/openwrt-imagebuilder-25.12.1-x86-64.Linux-x86_64/target/linux/generic/kernel-6.12
LINUX_VERSION-6.12 = .74
LINUX_KERNEL_HASH-6.12.74 = 3b56eeb1dc9a437f189ca56b823be3769994f59a4ea0895b08ec0d20acaca13e

I tried manually adding the kernel version in kernel-version.mk though the same error continues to pop up. Any ideas? Thanks again,

7

There's a bug that might make this release a bad one for devices that use the MT7915 chipset.

I can't tell if it impacts all of my clients, since I reverted to 25.12.0. But I'll do more testing tomorrow.

2 Likes
8

Yea I’m aware of potential latency bug within the new mt76 driver. I’m going to hold off on this update on my second mt6000, which I can’t install anyway because I downloaded a clean sysupgrade image and getting massive LuCI errors just trying to flash .1 over .0.

1 Like
9

Looks like /tmp is full, try removing anything big there, maybe also the whole /tmp/cache/ dir, and try again. No brick possible, because sysupgrade is saying the file is corrupted and it won't install...

Here's one of my devices, that adb list is pretty huge, you might have something similarly large.

$ ls -larS /tmp | tail
drwxr-xr-x    2 root     root            80 Mar 16 11:03 state
drwxr-xr-x    5 root     root           100 Mar 16 11:02 etc
drwxr-xr-x    2 root     root           120 Mar 17 07:23 log
-rw-r--r--    1 root     root           196 Mar 16 11:02 board.json
drwxr-xr-x    5 root     root           220 Mar 16 11:03 run
drwxrwxrwt    2 root     root           420 Mar 16 11:03 lock
drwxrwxrwt   17 root     root           460 Mar 18 10:27 .
drwxr-xr-x    1 root     root          1024 Mar 16 11:02 ..
-rw-------    1 root     root         13304 Mar 17 16:08 luci-indexcache.d13bca8d.json
-rw-r--r--    1 root     root       3302229 Mar 16 11:03 adb_list.overall
1 Like
10

Three TP-LINK Archer A7s updated from 25.12.0 to 25.12.1 using Attended Sysupgrade for the first time, one day after updating from 24.10.5 to 25.12.0 using owut for the first time. All devices updated without any network users noticing on both occasions.

I used to finish with “Thanks again to all who do the work to make this not just possible, but easy.” when updating via Luci, rebooting, comparing package lists, updating and installing packages, then rebooting again. This time I just clicked on a couple of things, am disgusted that you made me work so hard, and will be speaking to the manager about a full refund.

7 Likes
11

Based on the error message: is the tmpfs for /tmp out of space? How big is your image, and how big is your RAM? Also how much data are you trying to preserve across the flash (e.g. changes conf-files and anything you have added to sysupgrade.conf)? Having large amounts of luci-app-statistics data that is configured to be preserved across upgrades can also cause this.

1 Like
12

Put in a ticket, IT will get back to you when they feel like it (maybe). :sweat_smile:

10 Likes
13

Linksys EA8300 (ipq40xx/generic) updated via owut smoothly. Everything is good as far as I can tell. Thank you devs and everyone sharing their findings for the fixes as always!

1 Like
14

Well... I guess there is some excitement after a new release. This time updating almost killed my patience, as I was on position 200 in queue :joy: :hourglass_not_done::
Build succeeded in 2227s total = 2144s in queue + 83s to build

Anyway, I successfully upgraded 6 of my 9 devices (GL-AR300M, GL-MT300N_v2, GL-AR150) from 25.12.0 to 25.12.1 using owut. Yay! :rocket: Thank you for all the work.

3 Likes
15

Is this the /dev/null problem from earlier RCs related to a temporary adblock bug?

1 Like
16

I am very interested on this bug. I can’t replicate on two MT7981 routers (Cudy TR3000 & Confiabits 7981)

17

@cshoredaniel It’s an MT6000, 1GB RAM, 8GB eMMC. Have two, and have installed countless builds on and it’s never done this before. 25.12.0 must have done something crazy. 25.12.1 won’t install on this device the usual sysupgrade flash method.

@dave14305 no idea how to tell if it’s the /dev/null problem. luci-app-adblock-fast won’t install in 25.12.0 it was broken so installed regular luci-app-adblock and it works fine.

@efahl looks pretty typical:

root@OpenWrt:~# ls -larS /tmp | tail
-rw-r--r--    1 root     root           233 Mar 18 21:58 odhcpd.leases
-rw-r--r--    1 root     root           258 Mar 18 21:18 dhcp.leases
-rw-r--r--    1 root     root           296 Mar 18 20:03 sysupgrade.meta
drwxrwxrwt    2 root     root           560 Mar  5 18:42 lock
drwxr-xr-x   10 root     root           600 Mar 18 20:01 run
drwxrwxrwt   21 root     root           600 Mar 18 21:58 .
-rw-------    1 root     root           781 Mar 18 20:16 .busybox_ash_history
drwxr-xr-x    1 root     root          3488 Mar  2 19:14 ..
-rw-------    1 root     root         13910 Mar  9 16:01 luci-indexcache.8a50eb64.json
-rw-------    1 root     root      10629440 Mar 18 20:03 firmware.bin
1 Like
18

Just run ls -l /dev/null and see if it looks like this or not (with the c present at the beginning).

root@router:~# ls -l /dev/null
crw-rw-rw-    1 root     root        1,   3 Dec 31  1969 /dev/null
1 Like
The OpenWrt Firmware Selector
19

@dave14305

root@OpenWrt:~# ls -l /dev/null
-rw-r--r--    1 root     root             0 Mar 18 22:01 /dev/null
20

Follow the instructions here:

4 Likes