OpenWrt 25.12.4 - Service Release

Thu May 14 14:56:26 PDT 2026

Hi,

The OpenWrt community is proud to announce the fourth service release of 
the OpenWrt 25.12 stable series.

Download firmware images using the OpenWrt Firmware Selector:
   * https://firmware-selector.openwrt.org/?version=25.12.4

Download firmware images directly from our download servers:
   * https://downloads.openwrt.org/releases/25.12.4/targets/

Main changes between OpenWrt 25.12.3 and OpenWrt 25.12.4
=========================================================

Only the main changes are listed below. See the [full 
changelog](https://openwrt.org/releases/25.12/changelog-25.12.4) for 
details.

Security fixes
==============

   * **dnsmasq:** backport six upstream CVE-fix patches to dnsmasq 2.91:
     * CVE-2026-2291: heap buffer overflow in DNS domain-name handling.
     * CVE-2026-4890 / CVE-2026-4891: DNSSEC crashes via crafted NSEC 
bitmaps / RRSIG packets.
     * CVE-2026-4892: buffer overflow on large DHCPv6 CLIDs (only with 
`--dhcp-script`).
     * CVE-2026-4893: broken EDNS Client Subnet validation.
     * CVE-2026-5172: buffer overflow in `extract_addresses()` on 
crafted resource records.
   * **Linux kernel: CVE-2026-43284 ("Dirty Frag")** — local privilege 
escalation via the IPsec ESP path. Only relevant on devices with 
`kmod-ipsec` / `esp4`/`esp6` loaded. Fixed via the 6.12.87 kernel update.

Device support
==============

New devices supported in 25.12.4:
   * ath79: MikroTik RouterBOARD 960PGS (hEX PoE / PowerBox Pro)
   * mediatek: filogic: Cudy WR3000E v1: add ubootmod variant
   * mediatek: filogic: Cudy WR3000H v1: add ubootmod variant
   * mediatek: filogic: Cudy WR3000P v1: add ubootmod variant
   * mediatek: filogic: Cudy WR3000S v1: add ubootmod variant

Device fixes:
   * ath79: Sitecom WLR-7100 (X7 AC1200): fix MAC address assignment, 
wire up 5 GHz WLAN LED, and move to the `tiny` target to free ~800 KiB 
of flash
   * ipq40xx: Pakedge WR-1: restore lost band label on the WLAN LEDs
   * mediatek: filogic: Cudy WR3000E/H/P/S v1 and WBR3000UAX v1 
(ubootmod NAND builds): disable NMBM, which was mistakenly enabled and 
prevented the NAND from being used correctly
   * microchipsw: fix LAN8814 QSGMII soft reset

WiFi fixes and improvements
============================

   * wifi-scripts: fix `basic_rate` mapping in the wpa_supplicant ucode 
generator
   * mac80211: update backports package to 6.18.26 (general stability 
improvements)

Core component updates
=======================

   * Linux kernel: update from 6.12.85 to 6.12.87
   * mac80211: update from 6.18.7 to 6.18.26

Upgrading to 25.12.4
=====================

Upgrading from 24.10 to 25.12 should be transparent on most devices, as 
most configuration data has either remained the same or will be 
translated correctly on first boot by the package init scripts.
For upgrades within the OpenWrt 25.12 stable series, [Attended 
Sysupgrade](https://openwrt.org/docs/guide-user/installation/attended.sysupgrade) 
is also supported, which allows preserving the installed packages.

  * Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.

  * Cron log level was fixed in busybox. 
`system. at system[0].cronloglevel` should be set to `7` for normal 
logging. `7` is the default now. If this option is not set, the default 
is used and no manual action is needed. 
https://github.com/openwrt/openwrt/commit/fc0c518a88e68d3deef04bec73b33d35186d6546

  * Bananapi BPI-R4: Interface `eth1` was renamed to `sfp-lan` or 
`lan4`, and interface `eth2` was renamed to `sfp-wan` to match the 
labels. You have to upgrade without saving the configuration. 
https://github.com/openwrt/openwrt/commit/cd8dcfef378044a1687adfa3738f01f9a9622baf

  * **TP-Link RE355 v1, RE450 v1 and RE450 v2:** The partition layout 
and block size changed in this release to fix configuration loss on 
sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use 
`sysupgrade -F` to force the upgrade. The image must not exceed 5.875 MB 
(6016 KiB).

  * **Meraki MX60:** Direct sysupgrade to 25.12.4 is not possible 
without manual preparation — `meraki_loadaddr` must be changed before 
upgrading, as the default value is insufficient to boot OpenWrt 25.12+. 
See the device wiki page for instructions.

Known issues
============

   * Zyxel EX5601-T0: the WAN interface was renamed from `eth1` to `wan` 
— check and update your network configuration after upgrading.
   * Pixel 10 phones have problems connecting to WPA3-protected WiFi 6 
APs. https://github.com/openwrt/openwrt/issues/21486
   * 802.11r Fast Transition (FT) causes connection problems with some 
WiFi clients when WPA3 is used. 
https://github.com/openwrt/openwrt/issues/22200
   * SQM CAKE MQ (`cake_mq`): throughput may be unexpectedly low on some 
configurations after the scheduler fixes in this release. 
https://github.com/openwrt/openwrt/issues/22344

-----------------

Full release notes and upgrade instructions are available at
  https://openwrt.org/releases/25.12/notes-25.12.4

In particular, make sure to read the known issues before upgrading:
  https://openwrt.org/releases/25.12/notes-25.12.4#known_issues

For a detailed list of all changes, refer to
  https://openwrt.org/releases/25.12/changelog-25.12.4

To download the 25.12.4 images, navigate to:
  https://downloads.openwrt.org/releases/25.12.4/targets/
Use OpenWrt Firmware Selector to download:
  https://firmware-selector.openwrt.org?version=25.12.4

As always, a big thank you goes to all our active package maintainers, 
testers, documenters and supporters.

Have fun!

The OpenWrt Community

---

To stay informed of new OpenWrt releases and security advisories, there
are new channels available:

   * a low-volume mailing list for important announcements:
https://lists.openwrt.org/mailman/listinfo/openwrt-announce

   * a dedicated "announcements" section in the forum:
https://forum.openwrt.org/c/announcements/14

   * other announcement channels (such as RSS feeds) might be added in
     the future, they will be listed at https://openwrt.org/contact