OpenWrt 25.12 and 24.10 security release
Hauke Mehrtens
hauke at hauke-m.de
Mon May 4 01:52:22 PDT 2026
Hi,
I think we should soon do a minor release to fix the copy.fail
(CVE-2026-31431) problem.
It is not so urgent from my point of view, because copy.fail only works
when CONFIG_CRYPTO_USER_API is activated. This only gets included with
the kmod-crypto-user package and always on the starfive target. If you
are not on the starfive target and do not have kmod-crypto-user
installed you are not affected by copy.fail. Both are uncommon options.
All supported branches are fixed now.
I want to get a fixes for the WPA3 SAE configuration and a mac80211
update into 25.12 too:
https://github.com/openwrt/openwrt/pull/23209
https://github.com/openwrt/openwrt/pull/23011
There are already people complaining about the WPA3 SAE configuration
improvements causing new problems in main branch.
There are also some other PRs:
https://github.com/openwrt/openwrt/pulls?q=is%3Apr+sort%3Aupdated-desc+label%3Arelease%2F25.12+is%3Aopen
I am also looking into some fixes by an AI for random problems in our
OpenWrt components and some of them are looking like real security
relevant bugs.
I am between these two options.
1. Release 25.12 and 24.10 now with the current state.
2. Get WPA3 SAE configuration improvements and mac80211 updates in and
release then.
Currently I would tend to option 1 now and do an other release of 25.12
in about 3 weeks with some more fixes.
As we rebuild the packages continuously the WPA3 SAE configuration
improvements would automatically go to the uses as soon as they are
committed, the mac80211 update needs a new release.
Hauke
More information about the openwrt-devel
mailing list