Firmware-update: OpenWrt 25.12.3

Versie 25.12.3 van OpenWrt is uitgekomen. OpenWrt is alternatieve opensourcefirmware voor een groot aantal verschillende routers en embedded devices. Door middel van het apk-packagemanagementsysteem is er de mogelijkheid om zelf te bepalen wat de router allemaal wel en niet kan. Ook op GoT zijn er diverse mensen actief mee bezig: zie daarvoor dit topic. Bijwerken van de versie kan met een Attended Sysupgrade, handmatig met een voorgecompileerde firmwareversie van het apparaat dat je gebruikt of compileer je eigen variant met de firmwareselectie. De changelog voor deze uitgave kan hieronder worden gevonden.

Security fixes

Linux kernel: fixes CVE-2026-31431 (“Copy Fail”). The vulnerability only triggers when the kernel is built with CONFIG_CRYPTO_USER_API, which is enabled by the kmod-crypto-user package and is always enabled on the starfive target. Devices that are not on the starfive target and do not have kmod-crypto-user installed are not affected.mbedtls: update to 3.6.6 (multiple CVE fixes)OpenSSL: update to 3.5.6 (multiple CVE fixes)wolfSSL: update to 5.9.1 (multiple CVE fixes)

Linux kernel: fixes CVE-2026-31431 (“Copy Fail”). The vulnerability only triggers when the kernel is built with CONFIG_CRYPTO_USER_API, which is enabled by the kmod-crypto-user package and is always enabled on the starfive target. Devices that are not on the starfive target and do not have kmod-crypto-user installed are not affected.

mbedtls: update to 3.6.6 (multiple CVE fixes)

OpenSSL: update to 3.5.6 (multiple CVE fixes)

wolfSSL: update to 5.9.1 (multiple CVE fixes)

Device support

mediatek: filogic: ASUS RT-AX52 PROmediatek: filogic: D-Link AQUILA PRO AI E30mediatek: filogic: Huasifei Wb000 Pro (NAND variant)mediatek: filogic: Keenetic KAP-630 / Netcraze NAP-630mediatek: filogic: Zbtlink ZBT-Z8103AX-Dmediatek: filogic: Zbtlink ZBT-Z8106AX-Tmediatek: filogic: Zyxel WX5600-T0ramips: EDUP EP-RT2983ramips: mt76x8: Cudy LT300 v3x86: DFI ADN553x86: DFI ASL553

mediatek: filogic: ASUS RT-AX52 PRO

mediatek: filogic: D-Link AQUILA PRO AI E30

mediatek: filogic: Huasifei Wb000 Pro (NAND variant)

mediatek: filogic: Keenetic KAP-630 / Netcraze NAP-630

mediatek: filogic: Zbtlink ZBT-Z8103AX-D

mediatek: filogic: Zbtlink ZBT-Z8106AX-T

mediatek: filogic: Zyxel WX5600-T0

ramips: EDUP EP-RT2983

ramips: mt76x8: Cudy LT300 v3

x86: DFI ADN553

x86: DFI ASL553

Device fixes:

ath79: Netgear WNDAP360: multiple fixes restoring proper operation (sysupgrade, kernel loader, ethernet, LED, serial baud rate and U-Boot environment)ath79: Extreme Networks WS-AP3805i: fix U-Boot environment configurationath79: Mikrotik: fix included device packagesipq50xx: Linksys MX5500: add label MAC device assignmentlantiq: Netgear DGN3500: fix U-Boot environment size — device was broken on 25.12 (#22692)mediatek: filogic: Bananapi BPI-R4: add device tree overlay for the BE14 WiFi 7 module — fixes very low WiFi TX power on this module (#17489)mediatek: filogic: Keenetic KN-1812: various Ethernet PHY device tree fixes (PHY reset, interrupt support, MDIO drive strength, partition naming, xsphy node)mediatek: filogic: Netgear EAX17: fix rootfs hash in FIT node for per-device rootfs buildsmediatek: filogic: CMCC RAX3000M: add Airoha AN8855 switch support (#21230)mvebu: ClearFog Base/Pro: fix switch kernel modulequalcommax: ipq50xx: Xiaomi AX6000: enable PCIe1 for QCA9887qualcommax: ipq807x: Linksys MX5300: add label MAC assignmentramips: Yuncore CPE200: fix EEPROM sizeramips: mt7621: fix reset hangramips: Wavlink WL-WN575A3: fix EEPROM size for 5 GHz WiFiramips: Xiaomi Mi Router 4C: fix WAN LED GPIO (#18578)

ath79: Netgear WNDAP360: multiple fixes restoring proper operation (sysupgrade, kernel loader, ethernet, LED, serial baud rate and U-Boot environment)

ath79: Extreme Networks WS-AP3805i: fix U-Boot environment configuration

ath79: Mikrotik: fix included device packages

ipq50xx: Linksys MX5500: add label MAC device assignment

lantiq: Netgear DGN3500: fix U-Boot environment size — device was broken on 25.12 (#22692)

mediatek: filogic: Bananapi BPI-R4: add device tree overlay for the BE14 WiFi 7 module — fixes very low WiFi TX power on this module (#17489)

mediatek: filogic: Keenetic KN-1812: various Ethernet PHY device tree fixes (PHY reset, interrupt support, MDIO drive strength, partition naming, xsphy node)

mediatek: filogic: Netgear EAX17: fix rootfs hash in FIT node for per-device rootfs builds

mediatek: filogic: CMCC RAX3000M: add Airoha AN8855 switch support (#21230)

mvebu: ClearFog Base/Pro: fix switch kernel module

qualcommax: ipq50xx: Xiaomi AX6000: enable PCIe1 for QCA9887

qualcommax: ipq807x: Linksys MX5300: add label MAC assignment

ramips: Yuncore CPE200: fix EEPROM size

ramips: mt7621: fix reset hang

ramips: Wavlink WL-WN575A3: fix EEPROM size for 5 GHz WiFi

ramips: Xiaomi Mi Router 4C: fix WAN LED GPIO (#18578)

WiFi fixes and improvements

wifi-scripts: fix incorrect erp_domain and fils_cache_id values generated by the ucode-based config script (#21768)wifi-scripts: add missing bridge_isolate and network_vlan fields to the ucode schema (#22620)wifi-scripts: add missing iface and other fields to the ucode station/vlan schema (#22165)wifi-scripts: add EHT (WiFi 7) rates to set_fixed_freq

wifi-scripts: fix incorrect erp_domain and fils_cache_id values generated by the ucode-based config script (#21768)

wifi-scripts: add missing bridge_isolate and network_vlan fields to the ucode schema (#22620)

wifi-scripts: add missing iface and other fields to the ucode station/vlan schema (#22165)

wifi-scripts: add EHT (WiFi 7) rates to set_fixed_freq

Networking and system fixes

mbedtls: backport upstream patches to fix TLS 1.2 client issues — fixes a regression that broke DDNS updates and other TLS 1.2 client connections; the regression was introduced in mbedtls package updates shipped after the 25.12.2 release (OpenWrt packages follow a rolling release model) (#22874)base-files: sysupgrade: fix -u option (skip default configuration) which was broken with apkbase-files: sysupgrade: fix -f (custom backup) when the path contains spacesbase-files: sysupgrade: update backup exclusion listbase-files: use DISKSEQ instead of MAJOR/MINOR for stable disk identification (MAJOR/MINOR are not sequential)lantiq: fix mtdparsers refcount and memory leakuqmi / umbim: introduce devpath option for selecting cellular modems by USB device path

mbedtls: backport upstream patches to fix TLS 1.2 client issues — fixes a regression that broke DDNS updates and other TLS 1.2 client connections; the regression was introduced in mbedtls package updates shipped after the 25.12.2 release (OpenWrt packages follow a rolling release model) (#22874)

base-files: sysupgrade: fix -u option (skip default configuration) which was broken with apk

base-files: sysupgrade: fix -f (custom backup) when the path contains spaces

base-files: sysupgrade: update backup exclusion list

base-files: use DISKSEQ instead of MAJOR/MINOR for stable disk identification (MAJOR/MINOR are not sequential)

lantiq: fix mtdparsers refcount and memory leak

uqmi / umbim: introduce devpath option for selecting cellular modems by USB device path

Core component updates

Linux kernel: update from 6.12.74 to 6.12.85ca-certificates: update from 20250419 to 20260223linux-firmware: update from 20251125 to 20260221mbedtls: update from 3.6.5 to 3.6.6 (security fixes)OpenSSL: update from 3.5.5 to 3.5.6 (security fixes)wireless-regdb: update from 2026.02.04 to 2026.03.18wolfSSL: update from 5.8.4 to 5.9.1 (security fixes)

Linux kernel: update from 6.12.74 to 6.12.85

ca-certificates: update from 20250419 to 20260223

linux-firmware: update from 20251125 to 20260221

mbedtls: update from 3.6.5 to 3.6.6 (security fixes)

OpenSSL: update from 3.5.5 to 3.5.6 (security fixes)

wireless-regdb: update from 2026.02.04 to 2026.03.18

wolfSSL: update from 5.8.4 to 5.9.1 (security fixes)

Source: Tweakers.net