OpenWrt 25.12.3 Released: Security Overhaul, Expanded Hardware Support, and System-Wide Hardening
OpenWrt 25.12.3 Released: Security Overhaul, Expanded Hardware Support, and System-Wide Hardening
- Linux Kernel Removes strncpy After Six Years and 362 Patches
- Linux Kernel Drops 40-Year-Old AppleTalk Protocol — AI-Generated Patch Flood Was the Last Straw
- Apple’s Native Linux Container Tool Has Arrived — But Can It Really Replace Docker?
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
Firmware & Open-Source Networking
OpenWrt 25.12.3 Released: Security Overhaul, Expanded Hardware Support, and System-Wide Hardening
The third service release of the 25.12 stable series arrives 40 days after 25.12.2, signalling a maturing and increasingly stable platform.
The OpenWrt community officially announced OpenWrt 25.12.3 on May 7, 2026 — the third service release in the 25.12 stable series. Coming 40 days after 25.12.2, this update is the most comprehensive yet: it patches dozens of CVE vulnerabilities across the kernel and core cryptographic libraries, adds support for ten new devices, fixes numerous existing devices, and upgrades foundational components across the board.
The extended gap since the previous release reflects a platform that is gradually converging toward long-term stability, having moved beyond the rapid emergency-patch cadence that characterised the series’ early weeks.
Full release notes are available at: openwrt.org/releases/25.12/notes-25.12.3
The 25.12 Series at a Glance
Four releases have been published since the series launched in early March 2026:
🛡️ Security Fixes: Comprehensive Vulnerability Remediation
This release delivers the most thorough security sweep in the 25.12 series, touching the Linux kernel and every major cryptographic library in the stack:
starfive target or those with kmod-crypto-user installed.
Additional security-adjacent updates include refreshed ca-certificates (20250419 → 20260223) and wireless-regdb (2026.02.04 → 2026.03.18), ensuring up-to-date certificate trust anchors and regional wireless regulatory compliance.
🖥️ New & Fixed Device Support
25.12.3 expands the supported device list with ten additions, primarily on MediaTek Filogic and x86 platforms, while also delivering targeted fixes for over a dozen existing devices:
Newly Supported Devices
Notable Device Fixes
📶 Wi-Fi Fixes and Enhancements
Wi-Fi improvements in this release are focused on the wifi-scripts package, which manages the ucode-based Wi-Fi configuration layer introduced in 25.12.0:
erp_domain and fils_cache_id values generated by the ucode config script (#21768).bridge_isolate and network_vlan fields to the ucode schema (#22620).iface and other fields to the ucode station/VLAN schema (#22165).set_fixed_freq, improving Wi-Fi 7 frequency management.🔗 Core System and Networking Improvements
-u option (skip default config) which was broken under apk; fixes -f (custom backup) when the path contains spaces; updates the backup exclusion list.MAJOR/MINOR to DISKSEQ for stable disk identification, as MAJOR/MINOR values are not guaranteed to be sequential.devpath option for selecting cellular modems by USB device path, enabling more reliable modem management in multi-modem setups.kmod-vsock and kmod-vsock-virtio kernel modules for vsock communication in VM guest environments.📦 Core Component Updates
The following core components were updated between 25.12.2 and 25.12.3:
| Component | Previous | Updated To |
|---|---|---|
| Linux kernel | 6.12.74 | 6.12.85 |
| mbedtls | 3.6.5 | 3.6.6 ★ security |
| OpenSSL | 3.5.5 | 3.5.6 ★ security |
| wolfSSL | 5.8.4 | 5.9.1 ★ security |
| ca-certificates | 20250419 | 20260223 |
| linux-firmware | 20251125 | 20260221 |
| wireless-regdb | 2026.02.04 | 2026.03.18 |
| xdp-tools | 1.4.3 | 1.6.3 |
⚠️ Known Issues and Upgrade Notes
- Zyxel EX5601-T0 — WAN interface renamed from
eth1towan; update network configuration after upgrading. - Pixel 10 phones have problems connecting to WPA3-protected Wi-Fi 6 APs. (#21486)
- 802.11r Fast Transition (FT) causes connection problems with some Wi-Fi clients when WPA3 is used. (#22200)
- SQM CAKE MQ (
cake_mq) — throughput may be unexpectedly low on some configurations after scheduler fixes in this release. (#22344) - Meraki MX60 — direct sysupgrade is not possible without manual preparation;
meraki_loadaddrmust be changed first. See the device wiki page.
Upgrading within the 25.12 series is supported via Attended Sysupgrade (ASU), which preserves installed packages. Sysupgrade from 23.05 or earlier to 25.12 is not officially supported. Upgrades from 24.10 are generally transparent.
The Iterative Arc of the 25.12 Series
Each service release has addressed the most critical issues exposed by the previous one — a disciplined, problem-driven cadence that has steadily transformed an ambitious new architecture into a robust, reliable platform.
Foundation & Breakthrough
Architectural overhaul: apk replaces opkg, Wi-Fi scripts rewritten in ucode, Attended Sysupgrade ships by default, hardware support dramatically expanded.
Security & Reinforcement
Addresses Trail of Bits audit findings, patches LuCI XSS (CVE-2026-32721) and procd command-injection (CVE-2026-30874); adds early MT7990 Wi-Fi 7 support.
Emergency Firefighting
Focused entirely on fixing the severe MediaTek Wi-Fi latency regression (30 s+) introduced in 25.12.1. Pure bug-fix release — no new features or security patches.
Consolidation & Hardening
Comprehensive CVE remediation across kernel and all major crypto libraries, 10 new devices, 15+ device fixes, core component upgrades, and virtualization improvements.
With 25.12.3, the series has delivered on all three phases of mature branch maintenance: establish the architecture, secure the foundation, and progressively harden the system. It stands as the recommended version for anyone running OpenWrt on a supported device.
