Hi,

The OpenWrt community is proud to announce the third service release of the OpenWrt 25.12 stable series.

Download firmware images using the OpenWrt Firmware Selector:

• https://firmware-selector.openwrt.org/?version=25.12.3

Download firmware images directly from our download servers:

• https://downloads.openwrt.org/releases/25.12.3/targets/

Main changes between OpenWrt 25.12.2 and OpenWrt 25.12.3

Only the main changes are listed below. See the full changelog for details.

Security fixes

• Linux kernel: fixes CVE-2026-31431 ("Copy Fail"). In earlier releases this only affected users on the starfive target and users who had installed kmod-crypto-user.
• mbedtls: update to 3.6.6 (multiple CVE fixes)
• OpenSSL: update to 3.5.6 (multiple CVE fixes)
• wolfSSL: update to 5.9.1 (multiple CVE fixes)

Device support

New devices supported in 25.12.3:

• mediatek: filogic: ASUS RT-AX52 PRO
• mediatek: filogic: D-Link AQUILA PRO AI E30
• mediatek: filogic: Huasifei WH3000 Pro (NAND variant)
• mediatek: filogic: Keenetic KAP-630 / Netcraze NAP-630
• mediatek: filogic: Zbtlink ZBT-Z8106AX-T
• mediatek: filogic: Zyxel WX5600-T0
• ramips: mt7621: EDUP EP-RT2983
• ramips: mt76x8: Cudy LT300 v3
• x86: DFI ADN553
• x86: DFI ASL553

Device fixes:

• ath79: Netgear WNDAP360: multiple fixes restoring proper operation (sysupgrade, kernel loader, ethernet, LED, serial baud rate and U-Boot environment)
• ath79: Extreme Networks WS-AP3805i: fix U-Boot environment configuration
• ath79: Mikrotik: fix included device packages
• ipq50xx: Linksys MX5500: add label MAC device assignment
• lantiq: Netgear DGN3500: fix U-Boot environment size — device was broken on 25.12 (#22692)
• mediatek: filogic: Bananapi BPI-R4: add device tree overlay for the BE14 WiFi 7 module — fixes very low WiFi TX power on this module (#17489)
• mediatek: filogic: Keenetic KN-1812: various Ethernet PHY device tree fixes (PHY reset, interrupt support, MDIO drive strength, partition naming, xsphy node)
• mediatek: filogic: Netgear EAX17: fix rootfs hash in FIT node for per-device rootfs builds
• mediatek: filogic: CMCC RAX3000M: add Airoha AN8855 switch support (#21230)
• mediatek: filogic: Zbtlink ZBT-Z8103AX-D: enable NMBM on the SPI-NAND flash
• mvebu: ClearFog Base/Pro: fix switch kernel module
• qualcommax: ipq50xx: Xiaomi AX6000: enable PCIe1 for QCA9887
• qualcommax: ipq807x: Linksys MX5300: add label MAC assignment
• ramips: Yuncore CPE200: fix EEPROM size
• ramips: mt7621: fix reset hang
• ramips: Wavlink WL-WN575A3: fix EEPROM size for 5 GHz WiFi
• ramips: Xiaomi Mi Router 4C: fix WAN LED GPIO (#18578)

WiFi fixes and improvements

• wifi-scripts: fix incorrect erp_domain and fils_cache_id values generated by the ucode-based config script (#21768)
• wifi-scripts: add missing bridge_isolate and network_vlan fields to the ucode schema (#22620)
• wifi-scripts: add missing iface and other fields to the ucode station/vlan schema (#22165)
• wifi-scripts: add EHT (WiFi 7) rates to set_fixed_freq

Networking and system fixes

• mbedtls: backport upstream patches to fix TLS 1.2 client issues — fixes a regression that broke DDNS updates and other TLS 1.2 client connections; the regression was introduced in mbedtls package updates shipped after the 25.12.2 release (#22874)
• base-files: sysupgrade: fix -u option (skip default configuration) which was broken with apk
• base-files: sysupgrade: fix -f (custom backup) when the path contains spaces
• base-files: sysupgrade: update backup exclusion list
• base-files: use DISKSEQ instead of MAJOR/MINOR for stable disk identification (MAJOR/MINOR are not sequential)
• lantiq: fix mtdparsers refcount and memory leak
• uqmi / umbim: introduce devpath option for selecting cellular modems by USB device path
• kernel: add kmod-vsock and kmod-vsock-virtio for VM guests (vsock communication)

Core component updates

• Linux kernel: update from 6.12.74 to 6.12.85
• ca-certificates: update from 20250419 to 20260223
• linux-firmware: update from 20251125 to 20260221
• mbedtls: update from 3.6.5 to 3.6.6 (security fixes)
• OpenSSL: update from 3.5.5 to 3.5.6 (security fixes)
• wireless-regdb: update from 2026.02.04 to 2026.03.18
• wolfSSL: update from 5.8.4 to 5.9.1 (security fixes)
• xdp-tools: update from 1.4.3 to 1.6.3

Upgrading to 25.12.3

Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts.
For upgrades within the OpenWrt 25.12 stable series, Attended Sysupgrade is also supported, which allows preserving the installed packages.

• Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.

• Cron log level was fixed in busybox. system.@system[0].cronloglevel should be set to 7 for normal logging. 7 is the default now. If this option is not set, the default is used and no manual action is needed. fc0c518

• Bananapi BPI-R4: Interface eth1 was renamed to sfp-lan or lan4, and interface eth2 was renamed to sfp-wan to match the labels. You have to upgrade without saving the configuration. cd8dcfe

• TP-Link RE355 v1, RE450 v1 and RE450 v2: The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use sysupgrade -F to force the upgrade. The image must not exceed 5.875 MB (6016 KiB).

• Meraki MX60: Direct sysupgrade to 25.12.3 is not possible without manual preparation — meraki_loadaddr must be changed before upgrading, as the default value is insufficient to boot OpenWrt 25.12+. See the device wiki page for instructions.

Known issues

• Zyxel EX5601-T0: the WAN interface was renamed from eth1 to wan — check and update your network configuration after upgrading.
• Pixel 10 phones have problems connecting to WPA3-protected WiFi 6 APs. #21486
• 802.11r Fast Transition (FT) causes connection problems with some WiFi clients when WPA3 is used. #22200
• SQM CAKE MQ (cake_mq): throughput may be unexpectedly low on some configurations after the scheduler fixes in this release. #22344

Full release notes and upgrade instructions are available at
https://openwrt.org/releases/25.12/notes-25.12.3

In particular, make sure to read the known issues before upgrading:
https://openwrt.org/releases/25.12/notes-25.12.3#known_issues

For a detailed list of all changes, refer to
https://openwrt.org/releases/25.12/changelog-25.12.3

To download the 25.12.3 images, navigate to:
https://downloads.openwrt.org/releases/25.12.3/targets/
Use OpenWrt Firmware Selector to download:
https://firmware-selector.openwrt.org?version=25.12.3

As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters.

Have fun!

The OpenWrt Community

To stay informed of new OpenWrt releases and security advisories, there
are new channels available:

• a low-volume mailing list for important announcements:
  https://lists.openwrt.org/mailman/listinfo/openwrt-announce

• a dedicated "announcements" section in the forum:
  https://forum.openwrt.org/c/announcements/14

• other announcement channels (such as RSS feeds) might be added in
  the future, they will be listed at https://openwrt.org/contact