OpenWrt 25.12.3 - Service Release

Release and security announcements
1

Hi,

The OpenWrt community is proud to announce the third service release of the OpenWrt 25.12 stable series.

Download firmware images using the OpenWrt Firmware Selector:

Download firmware images directly from our download servers:

Main changes between OpenWrt 25.12.2 and OpenWrt 25.12.3

Only the main changes are listed below. See the full changelog for details.

Security fixes

  • Linux kernel: fixes CVE-2026-31431 ("Copy Fail"). In earlier releases this only affected users on the starfive target and users who had installed kmod-crypto-user.
  • mbedtls: update to 3.6.6 (multiple CVE fixes)
  • OpenSSL: update to 3.5.6 (multiple CVE fixes)
  • wolfSSL: update to 5.9.1 (multiple CVE fixes)

Device support

New devices supported in 25.12.3:

  • mediatek: filogic: ASUS RT-AX52 PRO
  • mediatek: filogic: D-Link AQUILA PRO AI E30
  • mediatek: filogic: Huasifei WH3000 Pro (NAND variant)
  • mediatek: filogic: Keenetic KAP-630 / Netcraze NAP-630
  • mediatek: filogic: Zbtlink ZBT-Z8106AX-T
  • mediatek: filogic: Zyxel WX5600-T0
  • ramips: mt7621: EDUP EP-RT2983
  • ramips: mt76x8: Cudy LT300 v3
  • x86: DFI ADN553
  • x86: DFI ASL553

Device fixes:

  • ath79: Netgear WNDAP360: multiple fixes restoring proper operation (sysupgrade, kernel loader, ethernet, LED, serial baud rate and U-Boot environment)
  • ath79: Extreme Networks WS-AP3805i: fix U-Boot environment configuration
  • ath79: Mikrotik: fix included device packages
  • ipq50xx: Linksys MX5500: add label MAC device assignment
  • lantiq: Netgear DGN3500: fix U-Boot environment size — device was broken on 25.12 (https://github.com/openwrt/openwrt/issues/22692)
  • mediatek: filogic: Bananapi BPI-R4: add device tree overlay for the BE14 WiFi 7 module — fixes very low WiFi TX power on this module (https://github.com/openwrt/openwrt/issues/17489)
  • mediatek: filogic: Keenetic KN-1812: various Ethernet PHY device tree fixes (PHY reset, interrupt support, MDIO drive strength, partition naming, xsphy node)
  • mediatek: filogic: Netgear EAX17: fix rootfs hash in FIT node for per-device rootfs builds
  • mediatek: filogic: CMCC RAX3000M: add Airoha AN8855 switch support (https://github.com/openwrt/openwrt/issues/21230)
  • mediatek: filogic: Zbtlink ZBT-Z8103AX-D: enable NMBM on the SPI-NAND flash
  • mvebu: ClearFog Base/Pro: fix switch kernel module
  • qualcommax: ipq50xx: Xiaomi AX6000: enable PCIe1 for QCA9887
  • qualcommax: ipq807x: Linksys MX5300: add label MAC assignment
  • ramips: Yuncore CPE200: fix EEPROM size
  • ramips: mt7621: fix reset hang
  • ramips: Wavlink WL-WN575A3: fix EEPROM size for 5 GHz WiFi
  • ramips: Xiaomi Mi Router 4C: fix WAN LED GPIO (https://github.com/openwrt/openwrt/issues/18578)

WiFi fixes and improvements

Networking and system fixes

  • mbedtls: backport upstream patches to fix TLS 1.2 client issues — fixes a regression that broke DDNS updates and other TLS 1.2 client connections; the regression was introduced in mbedtls package updates shipped after the 25.12.2 release (https://github.com/openwrt/openwrt/issues/22874)
  • base-files: sysupgrade: fix -u option (skip default configuration) which was broken with apk
  • base-files: sysupgrade: fix -f (custom backup) when the path contains spaces
  • base-files: sysupgrade: update backup exclusion list
  • base-files: use DISKSEQ instead of MAJOR/MINOR for stable disk identification (MAJOR/MINOR are not sequential)
  • lantiq: fix mtdparsers refcount and memory leak
  • uqmi / umbim: introduce devpath option for selecting cellular modems by USB device path
  • kernel: add kmod-vsock and kmod-vsock-virtio for VM guests (vsock communication)

Core component updates

  • Linux kernel: update from 6.12.74 to 6.12.85
  • ca-certificates: update from 20250419 to 20260223
  • linux-firmware: update from 20251125 to 20260221
  • mbedtls: update from 3.6.5 to 3.6.6 (security fixes)
  • OpenSSL: update from 3.5.5 to 3.5.6 (security fixes)
  • wireless-regdb: update from 2026.02.04 to 2026.03.18
  • wolfSSL: update from 5.8.4 to 5.9.1 (security fixes)
  • xdp-tools: update from 1.4.3 to 1.6.3

Upgrading to 25.12.3

Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts.
For upgrades within the OpenWrt 25.12 stable series, Attended Sysupgrade is also supported, which allows preserving the installed packages.

  • Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.

  • Cron log level was fixed in busybox. system.@system[0].cronloglevel should be set to 7 for normal logging. 7 is the default now. If this option is not set, the default is used and no manual action is needed. https://github.com/openwrt/openwrt/commit/fc0c518a88e68d3deef04bec73b33d35186d6546

  • Bananapi BPI-R4: Interface eth1 was renamed to sfp-lan or lan4, and interface eth2 was renamed to sfp-wan to match the labels. You have to upgrade without saving the configuration. https://github.com/openwrt/openwrt/commit/cd8dcfef378044a1687adfa3738f01f9a9622baf

  • TP-Link RE355 v1, RE450 v1 and RE450 v2: The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use sysupgrade -F to force the upgrade. The image must not exceed 5.875 MB (6016 KiB).

  • Meraki MX60: Direct sysupgrade to 25.12.3 is not possible without manual preparation — meraki_loadaddr must be changed before upgrading, as the default value is insufficient to boot OpenWrt 25.12+. See the device wiki page for instructions.

Known issues

Full release notes and upgrade instructions are available at
https://openwrt.org/releases/25.12/notes-25.12.3

In particular, make sure to read the known issues before upgrading:
https://openwrt.org/releases/25.12/notes-25.12.3#known_issues

For a detailed list of all changes, refer to
https://openwrt.org/releases/25.12/changelog-25.12.3

To download the 25.12.3 images, navigate to:
https://downloads.openwrt.org/releases/25.12.3/targets/
Use OpenWrt Firmware Selector to download:
https://firmware-selector.openwrt.org?version=25.12.3

As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters.

Have fun!

The OpenWrt Community

To stay informed of new OpenWrt releases and security advisories, there
are new channels available:

34 Likes
Why isn't crontab executing according to the specified schedule?
OpenWrt 25.12.2 - Service Release
3

The 25.12.3 build had a few issues with the infrastructure services, but all's well that ends well. Once the builds completed, all tests with ASU clients ran first try without issue.

If you encounter issues with ASU upgrades, please report them on the respective client threads:

5 Likes
4

Cudy M3000 v2 with Motorcomm YT8821 just Upgrade to 25.12.3
"sysupgrade.bin" installed via "Flash new firmware image" WebServer GUI

I haven't had any problems so far.
Thank you so much, developers!

5

Just updated from SNAPSHOT to 25.12.3 and discovered som quirks.

Firmware Version	OpenWrt 25.12.3 r32912-6639b15f62 / LuCI openwrt-25.12 branch 26.124.63982~650a6ca

Dynamic DNS still get Curl error 35

 230927       : curl: (35) ssl_handshake returned: (-0x6600) SSL - A field in a
message was incorrect or inconsistent with other fields

https-dns-proxy have same problem Curl error 35

[7 maj 2026 23:09:26 CEST] daemon.info: https-dns-proxy[6944]: [W] 1778188166.561339 https_client.c:364 1A0A: curl request failed with 35: Error
[7 maj 2026 23:09:26 CEST] daemon.info: https-dns-proxy[6944]: [W] 1778188166.561382 https_client.c:366 1A0A: curl error message: ssl_handshake returned: (-0x6600) SSL - A field in a message was incorrect or inconsistent with other fields
[7 maj 2026 23:09:26 CEST] daemon.info: https-dns-proxy[6944]: [W] 1778188166.561391 https_client.c:393 1A0A: No response (probably connection has been closed or timed out)
[7 maj 2026 23:09:27 CEST] user.err: ddns-scripts[25378]: afraid_ipv4: cURL Error: '35'
[7 maj 2026 23:09:27 CEST] user.warn: ddns-scripts[25378]: afraid_ipv4: Transfer failed - retry 1/0 in 1200 seconds
[7 maj 2026 23:09:27 CEST] user.err: ddns-scripts[25379]: afraid_ipv6: cURL Error: '35'
[7 maj 2026 23:09:27 CEST] user.warn: ddns-scripts[25379]: afraid_ipv6: Transfer failed - retry 1/0 in 60 seconds
[7 maj 2026 23:10:28 CEST] user.err: ddns-scripts[25379]: afraid_ipv6: cURL Error: '35'
[7 maj 2026 23:10:28 CEST] user.warn: ddns-scripts[25379]: afraid_ipv6: Transfer failed - retry 2/0 in 60 seconds

https-dns-proxy -V
2026.03.18-r1
Using: ev/4.33 c-ares/1.34.6 libcurl/8.19.0 **mbedTLS/3.6.6** nghttp2/1.66.0
Features: HTTP2 HTTPS-proxy IPv6

HTTPS DNS -Proxy CleanBrowsing (Security Filter)- not working, no resolv.

config https-dns-proxy
	option bootstrap_dns '185.228.168.9,185.228.169.9,2a0d:2a00:1::9,2a0d:2a00:2::9'
	option resolver_url 'https://doh.cleanbrowsing.org/doh/security-filter/'
	option listen_addr '127.0.0.1'
	option listen_port '5053'
	option user 'nobody'
	option group 'nogroup'
1 Like
6

Edgerouter Lite OK using sysupgrade :smiley:

Thanks to the devs!

7

Just in time :sweat_smile:

3 Likes
8

I upgraded 5 devices successfully: 3x glinet_gl-ar300m-nor and 2x glinet_gl-ar150.

mbedtls fix for TLS 1.2 does not seem to work:

username@hostname:~$ curl https://update.spdyn.de
curl: (35) ssl_handshake returned: (-0x6600) SSL - A field in a message was incorrect or inconsistent with other fields

Edit: the fix will probably work, but hasn't been build for my target yet. So: apologies.

1 Like
9

I had some error’s attempting to install this new update: I have a Openwrt One Router. I’ll try it again later today:

Updated successfully. Thanks!

10

I don't want to say "I told you..." :rofl:

1 Like
11

After a 41 day uptime on .2 updated one of my gl-mt6000 to .3, added lots of packages, config, etc. Everything working great, thanks devs!

12

I don’t think 25.12 packages have re-built since the mbedtls fix was merged. Still showing libmbedtls21-3.6.6-r1.apk instead of libmbedtls21-3.6.6-r2.apk.

3 Likes
13

Just updated from openwrt-25.12.3-mediatek-filogic-glinet_gl-mt6000-squashfs-sysupgrade.bin

Trying to install luci-app-sqm from http://openwrt.lan/cgi-bin/luci/admin/system/package-manager resulted in this error:

Luci interface for the SQM scripts queue management package

  • Required dependency package ip is not available in any repository.

  • Required dependency package iptables is not available in any repository.

  • Required dependency package tc is not available in any repository.

14

I'm sure i saw fix under
Networking and system fixes.

15

Yes, the fix will be available in 25.12.3 once all the packages get rebuilt (separate build phase from the main images).

3 Likes
CURL download errors with BanIP and libmbedtls ver 3.6.6-r1
16

My 3 systems upgraded to 25.12.3 without issue:

Raspberry Pi 5 Model B Rev 1.0 / ext4

Linksys E8450 (UBI)

Netgear WNDR3700 v4

It’s always fun seeing how quickly things get fixed on OpenWRT (and open source in general). I guess when one is working on a labor of love, one wants it to work well. Thanks guys!

2 Likes
17 
root@OpenWrt:~# apk -U add luci-app-sqm
OK: 43.7 MiB in 250 packages

Installed fine. No issue.

1 Like
18

That's a known issue with the LuCI Package Manager. Fix pending merge https://github.com/openwrt/luci/pull/8593, just use CLI like @phinn shows above for now.

4 Likes
19

Updated my raspberry pi from 25.12.2 to 25.12.3 using owut. everything is fine exept irqbalance.

It gives me this message, so I disabled it for now.

Irqbalance works fine on my linksys mx5300 and mx5500 accesspoints.

[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]: -----------------------------------------------------------------------------
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]: Package 0:  numa_node -1 cpu mask is 0000000f (load 30000000)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:         Cache domain 0:  numa_node is -1 cpu mask is 0000000f  (load 30000000)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:                 CPU number 3  numa_node is -1 (load 0)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:                   Interrupt 28 node_num is -1 (gbit-ethernet/1:476)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:                 CPU number 1  numa_node is -1 (load 0)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:                   Interrupt 27 node_num is -1 (gbit-ethernet/1:989)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:                 CPU number 2  numa_node is -1 (load 0)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:                 CPU number 0  numa_node is -1 (load 30000000)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:           Interrupt 26 node_num is -1 (legacy/1:0)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:           Interrupt 29 node_num is -1 (legacy/1:0)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:   Interrupt 14 node_num is -1 (other/738138:86)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:   Interrupt 11 node_num is -1 (other/15930048:1856)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:   Interrupt 35 node_num is -1 (other/1:0)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:   Interrupt 34 node_num is -1 (other/1:0)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:   Interrupt 33 node_num is -1 (other/755304:88)
[8 mei 2026, 07:31:59 CEST] daemon.info: irqbalance[3174]:   Interrupt 15 node_num is -1 (other/1:0)
20

Netgear SXK80 (SXR80 and SXS80) upgraded to 25.12.3 successfully, work fine and no issues in the kernel log or system log.

Good work people, I'm happy that security issues are addressed quickly, especially now that AI is apparently successfully being used to find vulnerabilities.