Changes from 2.6.3 to 2.6.4:

Updates:

• Updated LAV Filters to version 0.81-7-g8c4ee

Changes:

• For some users it was unclear that all nodes in the settings tree corresponded to pages, so now there is a leaf node for all pages.
• Added hotkey for toggling "Override all styles".

Fixes:

• Several small fixes and improvements.

Changelog

Bug fixes

• 3caa62b: fix: frontend error when devices share same mac address, close #1702 (@seriousm4x)
• 48a8c73: fix: loop in shutdown code rewritten to work properly (#1695) (@invario)

Others

• 9dac3e9: Add ability for device/network scan when rootless (#1700) (@invario)
• 66e08ad: frontend: use @tailwindcss/vite instead of postcss (@seriousm4x)
• c2bf398: small fixes (@seriousm4x)
• d31a6ef: update deps (@seriousm4x)
• 1d361e3: update ping privileged/unprivileged logic (#1586) (@invario)

Go dependencies

• 20e2520: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• c5613a5: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 288deda: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 457a17c: go-dep: bump github.com/pocketbase/pocketbase in /backend (@dependabot[bot])
• 190f87d: go-dep: bump golang.org/x/sys from 0.41.0 to 0.42.0 in /backend (@dependabot[bot])

Npm dependencies

• be94f35: npm-dep: bump @eslint/js from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 84a362a: npm-dep: bump @eslint/js from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 9f00286: npm-dep: bump @inlang/cli from 3.1.6 to 3.1.7 in /frontend (@dependabot[bot])
• 91eab52: npm-dep: bump @inlang/paraglide-js from 2.11.0 to 2.12.0 in /frontend (@dependabot[bot])
• 06b4626: npm-dep: bump @inlang/paraglide-js from 2.12.0 to 2.13.0 in /frontend (@dependabot[bot])
• 969ded6: npm-dep: bump @inlang/paraglide-js from 2.13.0 to 2.13.1 in /frontend (@dependabot[bot])
• f794681: npm-dep: bump @inlang/paraglide-js from 2.13.1 to 2.13.2 in /frontend (@dependabot[bot])
• 0acba76: npm-dep: bump @inlang/paraglide-js from 2.13.2 to 2.14.0 in /frontend (@dependabot[bot])
• 5c5b908: npm-dep: bump @inlang/paraglide-js from 2.14.0 to 2.15.0 in /frontend (@dependabot[bot])
• e4ab3c3: npm-dep: bump @sveltejs/kit from 2.51.0 to 2.52.0 in /frontend (@dependabot[bot])
• 0bead88: npm-dep: bump @sveltejs/kit from 2.52.0 to 2.52.2 in /frontend (@dependabot[bot])
• 1e168d4: npm-dep: bump @sveltejs/kit from 2.52.2 to 2.53.0 in /frontend (@dependabot[bot])
• ad36a40: npm-dep: bump @sveltejs/kit from 2.53.0 to 2.53.1 in /frontend (@dependabot[bot])
• ebd3e01: npm-dep: bump @sveltejs/kit from 2.53.1 to 2.53.3 in /frontend (@dependabot[bot])
• c57adf8: npm-dep: bump @sveltejs/kit from 2.53.3 to 2.53.4 in /frontend (@dependabot[bot])
• e09b968: npm-dep: bump @sveltejs/kit from 2.53.4 to 2.54.0 in /frontend (@dependabot[bot])
• b39857b: npm-dep: bump @sveltejs/kit from 2.54.0 to 2.55.0 in /frontend (@dependabot[bot])
• 01dcca3: npm-dep: bump @tailwindcss/postcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• 81e252b: npm-dep: bump @tailwindcss/postcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• d6604b2: npm-dep: bump @tailwindcss/postcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• 835f5b9: npm-dep: bump daisyui from 5.5.18 to 5.5.19 in /frontend (@dependabot[bot])
• a2d6d73: npm-dep: bump eslint from 9.39.2 to 9.39.3 in /frontend (@dependabot[bot])
• 3bf1ba5: npm-dep: bump eslint from 9.39.3 to 9.39.4 in /frontend (@dependabot[bot])
• 29c99ed: npm-dep: bump eslint-plugin-svelte from 3.15.0 to 3.15.1 in /frontend (@dependabot[bot])
• faeed49: npm-dep: bump eslint-plugin-svelte from 3.15.1 to 3.15.2 in /frontend (@dependabot[bot])
• e6d2992: npm-dep: bump postcss from 8.5.6 to 8.5.8 in /frontend (@dependabot[bot])
• cea0136: npm-dep: bump prettier-plugin-svelte from 3.4.1 to 3.5.0 in /frontend (@dependabot[bot])
• b09510f: npm-dep: bump prettier-plugin-svelte from 3.5.0 to 3.5.1 in /frontend (@dependabot[bot])
• 28ef84d: npm-dep: bump svelte from 5.50.3 to 5.51.2 in /frontend (@dependabot[bot])
• 58136f2: npm-dep: bump svelte from 5.51.2 to 5.51.3 in /frontend (@dependabot[bot])
• 0b7c4a6: npm-dep: bump svelte from 5.51.3 to 5.53.0 in /frontend (@dependabot[bot])
• d99d19b: npm-dep: bump svelte from 5.53.0 to 5.53.3 in /frontend (@dependabot[bot])
• 88d333d: npm-dep: bump svelte from 5.53.10 to 5.53.11 in /frontend (@dependabot[bot])
• ed83590: npm-dep: bump svelte from 5.53.11 to 5.53.12 in /frontend (@dependabot[bot])
• 2e69ba9: npm-dep: bump svelte from 5.53.12 to 5.54.0 in /frontend (@dependabot[bot])
• 4f1ec6c: npm-dep: bump svelte from 5.53.3 to 5.53.5 in /frontend (@dependabot[bot])
• d6300e8: npm-dep: bump svelte from 5.53.5 to 5.53.6 in /frontend (@dependabot[bot])
• 07d7bec: npm-dep: bump svelte from 5.53.6 to 5.53.7 in /frontend (@dependabot[bot])
• 78068c1: npm-dep: bump svelte from 5.53.7 to 5.53.9 in /frontend (@dependabot[bot])
• 1273d1b: npm-dep: bump svelte from 5.53.9 to 5.53.10 in /frontend (@dependabot[bot])
• f299c9d: npm-dep: bump svelte-check from 4.3.6 to 4.4.0 in /frontend (@dependabot[bot])
• 6819248: npm-dep: bump svelte-check from 4.4.0 to 4.4.1 in /frontend (@dependabot[bot])
• 2d55e9f: npm-dep: bump svelte-check from 4.4.1 to 4.4.3 in /frontend (@dependabot[bot])
• 13a06a5: npm-dep: bump svelte-check from 4.4.3 to 4.4.4 in /frontend (@dependabot[bot])
• cddad0f: npm-dep: bump svelte-check from 4.4.4 to 4.4.5 in /frontend (@dependabot[bot])
• 745094b: npm-dep: bump tailwindcss from 4.1.18 to 4.2.0 in /frontend (@dependabot[bot])
• db528a9: npm-dep: bump tailwindcss from 4.2.0 to 4.2.1 in /frontend (@dependabot[bot])
• 611c4d2: npm-dep: bump tailwindcss from 4.2.1 to 4.2.2 in /frontend (@dependabot[bot])
• e997211: npm-dep: bump typescript-eslint from 8.55.0 to 8.56.0 in /frontend (@dependabot[bot])
• 7498a69: npm-dep: bump typescript-eslint from 8.56.0 to 8.56.1 in /frontend (@dependabot[bot])
• 0766482: npm-dep: bump typescript-eslint from 8.56.1 to 8.57.0 in /frontend (@dependabot[bot])
• 52f00c4: npm-dep: bump typescript-eslint from 8.57.0 to 8.57.1 in /frontend (@dependabot[bot])

Github Actions

• fb0f9f0: gh-action: bump actions/download-artifact from 7 to 8 (@dependabot[bot])
• 285f8dc: gh-action: bump actions/upload-artifact from 6 to 7 (#1665) (@dependabot[bot])
• 9c0f6e1: gh-action: bump docker/build-push-action from 6 to 7 (#1680) (@dependabot[bot])
• 7f3020d: gh-action: bump docker/login-action from 3 to 4 (@dependabot[bot])
• ca3fb1c: gh-action: bump docker/metadata-action from 5 to 6 (@dependabot[bot])
• 6cf9539: gh-action: bump docker/setup-buildx-action from 3 to 4 (@dependabot[bot])
• 8301cad: gh-action: bump docker/setup-qemu-action from 3 to 4 (@dependabot[bot])
• 0232a43: gh-action: bump goreleaser/goreleaser-action from 6 to 7 (@dependabot[bot])
• 9bed4f4: gh-action: bump pnpm/action-setup from 4 to 5 (@dependabot[bot])

• Reloading has been refactored to encourage more careful consideration of the use of ammo. When you reload a magazine-fed weapon, all remaining ammo in the magazine is discarded and a new, full magazine is taken from the reserves.
• Reserve ammunition is now represented either as number of magazines, shells, or bullets, depending on the weapon.
• The fill-level of the current weapon is now displayed below the ammo count.
• Tuned reserve magazine counts per-weapon.

• Limited map guides are now available in Competitive and Retakes (first 5 rounds of the half, 30 node max).
• sv_allow_annotations_access_level supports 3 values: 0 – disabled. 1 – limited view. 2 – full and editable.
• sv_annotation_limits_max_rounds_per_half (default 5) determines how many rounds into the half guides are allowed. -1 for unlimited.
• Minimal starter map guides have been added for all Active Duty maps.

• Friends playing a Practice or Workshop map can be joined through the friends menu if they have Open Party set.

Bugfixes and minor changes:

• FTP: Fixed a crash when transfers are aborted

• View downloads
• View release notes

• View downloads
• View release notes

• View downloads

The Stable channel has been updated to 146.0.7680.153/154 for Windows/Mac  and 146.0.7680.153 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 26 security fixes. Please see the Chrome Security Page for more information.

[TBD][475877320] Critical CVE-2026-4439: Out of bounds memory access in WebGL. Reported by Goodluck on 2026-01-15
[TBD][485935305] Critical CVE-2026-4440: Out of bounds read and write in WebGL. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-20
[TBD][489381399] Critical CVE-2026-4441: Use after free in Base. Reported by Google on 2026-03-03
[TBD][484751092] High CVE-2026-4442: Heap buffer overflow in CSS. Reported by Syn4pse on 2026-02-16
[TBD][485292589] High CVE-2026-4443: Heap buffer overflow in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
[TBD][486349161] High CVE-2026-4444: Stack buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-21
[TBD][486421953] High CVE-2026-4445: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-22
[TBD][486421954] High CVE-2026-4446: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-22
[TBD][486657483] High CVE-2026-4447: Inappropriate implementation in V8. Reported by Erge on 2026-02-23
[TBD][486972661] High CVE-2026-4448: Heap buffer overflow in ANGLE. Reported by M. Fauzan Wijaya (Gh05t666nero) on 2026-02-23
[TBD][487117772] High CVE-2026-4449: Use after free in Blink. Reported by Syn4pse on 2026-02-24
[TBD][487746373] High CVE-2026-4450: Out of bounds write in V8. Reported by qymag1c on 2026-02-26
[TBD][487768779] High CVE-2026-4451: Insufficient validation of untrusted input in Navigation. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-26
[TBD][487977696] High CVE-2026-4452: Integer overflow in ANGLE. Reported by cinzinga on 2026-02-26
[TBD][488400770] High CVE-2026-4453: Integer overflow in Dawn. Reported by sweetchip on 2026-02-27
[TBD][488585488] High CVE-2026-4454: Use after free in Network. Reported by heapracer (@heapracer) on 2026-03-01
[TBD][488585504] High CVE-2026-4455: Heap buffer overflow in PDFium. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-01
[TBD][488617440] High CVE-2026-4456: Use after free in Digital Credentials API. Reported by sean wong on 2026-02-28
[TBD][488803413] High CVE-2026-4457: Type Confusion in V8. Reported by Zhenpeng (Leo) Lin at depthfirst on 2026-03-01
[TBD][489619753] High CVE-2026-4458: Use after free in Extensions. Reported by Shaheen Fazim on 2026-03-04
[TBD][490246422] High CVE-2026-4459: Out of bounds read and write in WebAudio. Reported by Jihyeon Jeong (Compsec Lab, Seoul National University / Research Intern) on 2026-03-06
[TBD][490254124] High CVE-2026-4460: Out of bounds read in Skia. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-06
[TBD][490558172] High CVE-2026-4461: Inappropriate implementation in V8. Reported by Google on 2026-03-07
[TBD][491080830] High CVE-2026-4462: Out of bounds read in Blink. Reported by heapracer (@heapracer) on 2026-03-09
[TBD][491358681] High CVE-2026-4463: Heap buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-10
[TBD][487208468] Medium CVE-2026-4464: Integer overflow in ANGLE. Reported by heesun on 2026-02-24

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Srinivas Sista

Hi,

The OpenWrt community is proud to announce the newest stable release of the OpenWrt 24.10 stable series.

Download firmware images using the OpenWrt Firmware Selector:

• https://firmware-selector.openwrt.org/?version=24.10.6

Download firmware images directly from our download servers:

• https://downloads.openwrt.org/releases/24.10.6/targets/

Main changes between OpenWrt 24.10.5 and OpenWrt 24.10.6

Only the main changes are listed below. See changelog-24.10.6 for the full changelog.

Security fixes

OpenWrt components (Trail of Bits audit, February 2026):

• CVE-2026-30871: Stack buffer overflow in umdns DNS PTR query handling (HIGH)
• CVE-2026-30872: Stack buffer overflow in umdns IPv6 reverse DNS lookup (HIGH)
• CVE-2026-30873: Memory leak in jsonpath when processing strings, labels, and regexp tokens (LOW)
• CVE-2026-30874: Command execution via PATH environment variable filter bypass in procd (LOW)

LuCI:

• CVE-2026-32721: Possible XSS attack via malicious SSID in LuCI WiFi scan modal (MEDIUM)

OpenSSL:

• openssl: update to 3.0.19, fixing multiple security vulnerabilities

Device support

• airoha: an7581: fix switch port and LED functionality
• ath79: CF-EW71 v2: fix MAC address assignment
• imx: Gateworks Venice GW72xx-2x, GW73xx-2x, GW75xx-0x, GW75xx-2x: add sysupgrade support
• ipq40xx: ASUS Lyra: fix reading of WiFi calibration data
• lantiq: fix GPIO expander clock, restoring correct LED and GPIO behaviour on affected devices
• mediatek: Banana Pi BPi-R3: fix PWM fan speed control — medium cooling level now works correctly
• mediatek: Cudy AP3000 v1, Cudy WR3000H: fix Ethernet connectivity on units with a Motorcomm PHY
• mediatek: Cudy M3000, ramips: Cudy AP1300 Outdoor: fix incorrect Ethernet port assignment
• mediatek: Cudy WR3000P: enable USB 3.0 support in default firmware image
• mediatek: GL-MT2500: fix sysupgrade compatibility from earlier releases
• mt7620: fix potential crash on MT7620-based devices
• ramips: mt76x8: fix boot counter tracking
• realtek: GS1900-24E: fix switch reliability

Various fixes and improvements

• imx: cortexa53: fix memory allocation for DMA-intensive operations
• jsonpath: fix memory leak (CVE-2026-30873)
• mac80211: ath11k: fix crash caused by unsupported 11ax EDCA parameters
• mac80211: ath9k: fix WiFi hang — chip is now automatically reset on inactivity
• mt76: mt76x02: fix WiFi traffic stall after interface reconfiguration
• procd: fix security issues (CVE-2026-30874) and other improvements
• umdns: fix security issues (CVE-2026-30871, CVE-2026-30872)

Core components update

• Linux kernel: update from 6.6.119 to 6.6.127
• openssl: update from 3.0.18 to 3.0.19
• procd: update from 2024-12-22 to 2026-03-14
• umdns: update from 2025-02-10 to 2026-02-06
• wireless-regdb: update from 2025.10.07 to 2026.02.04

OpenWrt 24.10 end of life

With the release of OpenWrt 25.12 stable series, the OpenWrt 24.10 stable series will go end of life in 6 months. We will not provide security updates for OpenWrt 24.10 after September 2026. We encourage everyone to upgrade to OpenWrt 25.12 before September 2026.

Upgrading to 24.10

Sysupgrade can be used to upgrade a device from 23.05 to 24.10, and configuration will be preserved in most cases.

For for upgrades inside the OpenWrt 24.10 stable series for example from a OpenWrt 24.10 release candidate Attended Sysupgrade is supported in addition which allows preserving the installed packages too.

• Sysupgrade from 22.03 to 24.10 is not officially supported.

• There is no configuration migration path for users of the ipq806x target for Qualcomm Atheros IPQ806X SoCs because it switched to DSA. You have to upgrade without saving the configuration.
  ''Image version mismatch. image 1.1 device 1.0 Please wipe config during upgrade (force required) or reinstall. Config cannot be migrated from swconfig to DSA Image check failed''

• User of the Linksys E8450 aka. Belkin RT3200 running OpenWrt 23.05 or earlier will need to run installer version v1.1.3 or later in order to reorganize the UBI layout for the 24.10 release. A detailed description is in the OpenWrt wiki. Updating without using the installer will break the device. Sysupgrade will show a warning before doing an incompatible upgrade.

• Users of the Xiaomi AX3200 aka. Redmi AX6S running OpenWrt 23.05 or earlier have to follow a special upgrade procedure described in the wiki. This will increase the flash memory available for OpenWrt. Updating without following the guide in the wiki break the device. Sysupgrade will show a warning before doing an incompatible upgrade.

• Users of Zyxel GS1900 series switches running OpenWrt 23.05 or earlier have to perform a new factory install with the initramfs image due to a changed partition layout. Sysupgrade will show a warning before doing an incompatible upgrade and is not possible. After upgrading, the config file /etc/config/system should not be restored from a backup, as this will overwrite the new compat_version value.

Known issues

• LEDs for Airoha AN8855 are not yet supported. Devices like the Xiaomi AX3000T with an Airoha switch will have their switch LEDs powered off. This issue will be addressed in an upcoming OpenWrt SNAPSHOT and the OpenWrt 24.10 minor release.
• 5GHz WiFi is non-functional on certain devices with ath10k chipsets. Affected models include the Phicomm K2T, TP-Link Archer C60 v3 and possibly others. For details, see issue #14541.

Full release notes and upgrade instructions are available at
https://openwrt.org/releases/24.10/notes-24.10.6

In particular, make sure to read the regressions and known issues before upgrading:
https://openwrt.org/releases/24.10/notes-24.10.6#known_issues

For a detailed list of all changes since 24.10.5, refer to
https://openwrt.org/releases/24.10/changelog-24.10.6

To download the 24.10.6 images, navigate to:
https://downloads.openwrt.org/releases/24.10.6/targets/
Use OpenWrt Firmware Selector to download:
https://firmware-selector.openwrt.org?version=24.10.6

As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters.

Have fun!

The OpenWrt Community

To stay informed of new OpenWrt releases and security advisories, there
are new channels available:

• a low-volume mailing list for important announcements:
  https://lists.openwrt.org/mailman/listinfo/openwrt-announce

• a dedicated "announcements" section in the forum:
  https://forum.openwrt.org/c/announcements/14

• other announcement channels (such as RSS feeds) might be added in the
  future, they will be listed at https://openwrt.org/contact

Hi,

The OpenWrt community is proud to announce the first service release of the OpenWrt 25.12 stable series.

Download firmware images using the OpenWrt Firmware Selector:

• https://firmware-selector.openwrt.org/?version=25.12.1

Download firmware images directly from our download servers:

• https://downloads.openwrt.org/releases/25.12.1/targets/

Main changes between OpenWrt 25.12.0 and OpenWrt 25.12.1

Only the main changes are listed below. See the full changelog for details.

Security fixes

OpenWrt components (Trail of Bits audit, February 2026):

• CVE-2026-30871: Stack buffer overflow in umdns DNS PTR query handling (HIGH)
• CVE-2026-30872: Stack buffer overflow in umdns IPv6 reverse DNS lookup (HIGH)
• CVE-2026-30873: Memory leak in jsonpath when processing strings, labels, and regexp tokens (LOW)
• CVE-2026-30874: Command execution via PATH environment variable filter bypass in procd (LOW)

LuCI:

• CVE-2026-32721: Possible XSS attack via malicious SSID in LuCI WiFi scan modal (HIGH)

Additional hardening from the same Trail of Bits audit (no CVE assigned):

• odhcpd: fix stack buffer overflow in DHCPv6 Identity Association logging
• procd: fix out-of-bounds write in cgroup path building and cgroup rule application

Device support

• airoha: fix EN7581 PCIe initialization and add x2 (2-lane) link support — improves PCIe reliability and unlocks full bandwidth for affected devices
• ath79: TP-Link RE355 v1, RE450 v1/v2: fix partition alignment to prevent configuration loss on sysupgrade
• ipq40xx: Devolo Magic 2 WiFi next: enable device support
• ipq40xx: re-enable MeshPoint.One target
• ipq806x: AP3935: fix U-Boot NVMEM layout
• lantiq: fix GPIO expander clock (gpio-stp-xway) — restores correct LED and GPIO behaviour on affected devices
• lantiq: fix missing WAN MAC address assignment on some devices
• mediatek: Cudy M3000: add support for hardware variant with Motorcomm YT8821 PHY (previously only the Realtek PHY variant was supported)
• mediatek: TP-Link BE450: fix 10GbE PHY reset timing that caused intermittent boot stalls, add missing WLAN toggle button, fix reported memory size
• microchipsw: Novarq Tactical 1000: fix swapped SFP I2C buses for ports 1 and 3 — fixes SFP EEPROM read failures
• ramips: Keenetic KN-1910: fix sysupgrade functionality
• realtek: RTL838x-based switches: fix non-functional reboot
• treewide: Linksys devices: fix MAC address assignment

WiFi fixes and improvements

• mac80211: fix crash triggered by Channel Switch Announcement (CSA) when AP VLAN interfaces are in use
• mt76: add MT7990 firmware support (new MediaTek WiFi 7 chipset)
• mt76: mt7915: fix power save mode handling
• mt76: mt7921/MT7902: add MT7902e MCU and DMA layout support
• mt76: mt7996/mt7992: fix crash in transmit path, fix out-of-bounds access during hardware restart, improve MLO/CSA and radar detection support
• wifi-scripts: fix incorrect VHT160 capability advertisement — was incorrectly set on non-160 MHz AP configurations, degrading station upload speed (#22435)
• wifi-scripts: fix malformed wpa_supplicant config when 802.1X EAP credentials (identity, password, certificates) contain spaces (#22212)

Web interface (LuCI) and system fixes

• luci-mod-network: fix XSS vulnerability in WiFi scan modal (CVE-2026-32721)
• ustream-ssl (OpenSSL variant): fix use-after-free crash causing uhttpd (the LuCI web server) to crash under high load (#19349)

Networking and system fixes

• firewall4: set as the preferred firewall package over the legacy firewall package
• iptables: prefer the nftables-backed variants (iptables-nft, ip6tables-nft) when iptables is pulled in as a dependency
• kernel: CAKE QoS scheduler fixes — avoid unnecessary synchronization overhead when running without a rate limit, fix DiffServ rate scaling
• kernel: SFP: improve Huawei MA5671a module support — module is now accessible even when no fiber is connected
• odhcpd: fix segfault when disabling a DHCP interface, fix DHCPv4 lease tree corruption, fix truncated field in DHCPv6 lease queries, fix DNS search list padding
• ppp: fix potential memory safety issue (undefined behavior in memcpy with overlapping buffers); remove the MRU limit patch for PPPoE connections (ppp-project/ppp#573)

Package manager (apk)

• apk: update to version 3.0.5 with several OpenWrt-specific bug fixes
• apk: add --force-reinstall option to reinstall already-installed packages without requiring a version change

Core component updates

• apk: update from 3.0.2 to 3.0.5
• jsonfilter: update from 2025-10-04 to 2026-03-16 (fixes CVE-2026-30873)
• libubox: update from 2026-02-13 to 2026-03-13 (ABI version stabilized for 25.12 stable series)
• Linux kernel: update from 6.12.71 to 6.12.74
• odhcpd: update from 2026-01-19 to 2026-03-16
• omcproxy: update from 2025-10-04 to 2026-03-07
• procd: update from 2026-02-20 to 2026-03-14 (fixes CVE-2026-30874)
• umdns: update from 2025-10-04 to 2026-02-06 (fixes CVE-2026-30871, CVE-2026-30872)
• ustream-ssl: update from 2025-10-03 to 2026-03-01

Upgrading to 25.12.1

Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts.
For upgrades within the OpenWrt 25.12 stable series, Attended Sysupgrade is also supported, which allows preserving the installed packages.

• Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.

• Cron log level was fixed in busybox. system.@system[0].cronloglevel should be set to 7 for normal logging. 7 is the default now. If this option is not set, the default is used and no manual action is needed. fc0c518

• Bananapi BPI-R4: Interface eth1 was renamed to sfp-lan or lan4, and interface eth2 was renamed to sfp-wan to match the labels. You have to upgrade without saving the configuration. cd8dcfe

• TP-Link RE355 v1, RE450 v1 and RE450 v2: The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use sysupgrade -F to force the upgrade. The image must not exceed 5.875 MB (6016 KiB).

Known issues

• Zyxel EX5601-T0: the WAN interface was renamed from eth1 to wan — check and update your network configuration after upgrading.
• Pixel 10 phones have problems connecting to WPA3-protected WiFi 6 APs. #21486
• 802.11r Fast Transition (FT) causes connection problems with some WiFi clients when WPA3 is used. #22200
• SQM CAKE MQ (cake_mq): throughput may be unexpectedly low on some configurations after the scheduler fixes in this release. #22344
• 160 MHz channel width cannot be configured. #22481

Full release notes and upgrade instructions are available at
https://openwrt.org/releases/25.12/notes-25.12.1

In particular, make sure to read the known issues before upgrading:
https://openwrt.org/releases/25.12/notes-25.12.1#known_issues

For a detailed list of all changes, refer to
https://openwrt.org/releases/25.12/changelog-25.12.1

To download the 25.12.1 images, navigate to:
https://downloads.openwrt.org/releases/25.12.1/targets/
Use OpenWrt Firmware Selector to download:
https://firmware-selector.openwrt.org?version=25.12.1

As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters.

Have fun!

The OpenWrt Community

To stay informed of new OpenWrt releases and security advisories, there
are new channels available:

• a low-volume mailing list for important announcements:
  https://lists.openwrt.org/mailman/listinfo/openwrt-announce

• a dedicated "announcements" section in the forum:
  https://forum.openwrt.org/c/announcements/14

• other announcement channels (such as RSS feeds) might be added in the
  future, they will be listed at https://openwrt.org/contact

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a vulnerability where page content, which should be hidden by permissions, could be visible during certain markdown exports.

We strongly advise that you update your instance if you use permissions to control page visibility.

Thanks to Ghufran Raza Khan (GitHub Profile, LinkedIn Profile) for responsibly reporting this issue.
Also thanks to Alex Dan (GitHub Profile) for also reporting this before public announcement.

Full List of Changes

• Updated queries used for pages in markdown exports.
• Updated handling of filenames for file serving.
• Updated PHP package versions.

• [p]Players in Germany and Netherlands will have an X-Ray Scanner tab in their Inventory. For those players, containers can only be opened via X-ray Scanner. The X-Ray Scanner will come preloaded with a one-time exclusive non-tradable "Genuine P250 | X-ray", which must be claimed before using the X-Ray Scanner to reveal items in other containers.[/p][/*]
• [p]Keyless Containers, like Souvenir Packages, can be opened without the X-Ray Scanner.[/p][/*]

New features:

• SFTP support is now based on the fzssh library

Bugfixes and minor changes:

• Fix detection of OTP requests from FileZilla Pro Enterprise Server if using non-default FTP encryption options
• MSW: Improve handling of volumes mounted as path instead of as drive letter
• *nix, macOS: Remove custom send buffer option, rely on operating system auto-tuning

A new minor release, FFmpeg 8.1 "Hoare", is now available for download. Here are some of the highlights:

• Decoders: xHE-AAC Mps212 (experimental) MPEG-H decoding via libmpeghdec
• EXIF Metadata Parsing
• LCEVC: support for parsing and forwarding metadata
• Vulkan compute-based codecs: ProRes encoding and decoding, DPX decoding
• D3D12: D3D12 H.264/AV1 encoding, scale_d3d12, mestimate_d3d12, deinterlace_d3d12 filters
• Rockchip H.264/HEVC hardware encoding
• IAMF: Projection mode Ambisonic Audio Elements muxing and demuxing
• Formats: hxvs demuxer
• Filters: drawvg, vpp_amf

This release features a lot of internal changes and bugfixes. The groundwork for the upcoming swscale rewrite is progressing. The Vulkan compute-based codecs, and a few filters, no longer depend on runtime GLSL compilation, which speeds up their initialization.

A companion post about the Vulkan Compute-based codec implementations has been published on the Khronos blog, featuring technical details on the implementations and future plans.

We recommend users, distributors, and system integrators to upgrade unless they use current git master.

Part-DB 2.9.1

Improvements

• Removed MPN fallback from LCSC barcode scanner, the SPN field is used instead for part matching (#1302)
• Automatically detect the delimiter on generic CSV BOM imports

Bug fixes

• Fixed intendation of EDA visibility checkboxes
• Fixed SAML login button (#1308, thanks to @mowoe)
• Fixed problem of GenericWeb info provider when used behind traefik (#1296)
• Fixed 500 error, when mapping in generic CSV BOM import fails (#1298)
• Fixed 500 error with displaying part prices, when a user has a currency preference different of base currency, and there is no conversion rate known for it (#1317)

Miscellaneous

• Updated dependencies
• Updated translations
• Updated kicad symbols

New Contributors

• @mowoe made their first contribution in #1308

Full Changelog: v2.9.0...v2.9.1

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Email/SMTP - The way BookStack sends messages has changed slightly (Specifically, the SMTP HELO domain). This isn't expected to be a breaking change but testing of emails (Using the test send action in Settings > Maintenance) is advised after updating to be sure there's no impact.
• Theme System - Within a theme directory, the modules/ folder is now dedicated to theme modules. If you happened to already have a folder of this name in your theme, it's advised to use a different folder name instead.

Full List of Changes

Released in v26.03

• Added new module system to the theme system. (#5998)
• Added logical theme events for page content render and pre-save. (#6049)
• Added logical theme event and class to allow inserting custom views before/after others. (#5998)
• Added logical theme event to allow customising the OIDC authentication URL. (#6014)
• Updated book delete to return to the parent shelf in a shelf context. (#6029)
• Updated book read API endpoint to provide parent shelf information. (#6006)
• Updated cursor to pointer for drawio diagrams. Thanks to @lublak. (#5864)
• Updated description for per-page display limits. (#6005)
• Updated emails to use the domain from the APP_URL in the SMTP HELO. (#5990)
• Updated translations with latest Crowdin changes. (#6007)
• Fixed empty extra space showing for descriptions when the input is left empty. (#5724)

The Stable channel has been updated to 146.0.7680.80 for Windows/Mac  and 146.0.7680.80 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log