OpenWrt 24.10.7 Patches Dirty Frag Kernel Flaw and dnsmasq CVEs

A local privilege escalation bug in the Linux kernel's IPsec ESP code path, tracked as CVE-2026-43284 and nicknamed "Dirty Frag," is the headline fix in OpenWrt 24.10.7. The flaw affects any router with kmod-ipsec and the esp4 or esp6 modules loaded, a common configuration for site-to-site VPN tunnels on consumer hardware. The patch arrives via a kernel bump to 6.6.138, with the full release shipping 6.6.141 (up from 6.6.127 in 24.10.6). A second kernel CVE, CVE-2026-31431 ("Copy Fail"), is also closed for users of the starfive target or anyone who had pulled in kmod-crypto-user.

The dnsmasq stack absorbs six backported upstream fixes (CVE-2026-2291 and CVE-2026-4890 through 4893, plus CVE-2026-5172), keeping the DNS and DHCP daemon on the 2.90 series. The TLS libraries get a sweep too: OpenSSL moves to 3.0.20, mbedTLS to 3.6.6, and wolfSSL to 5.9.1, each carrying its own batch of vulnerability fixes. With 24.10 already in security-only maintenance and end-of-life slated for September 2026, the OpenWrt project is steering users toward the 25.12 branch before the lights go out.

Device support work focuses on the Airoha silicon that has been landing in newer mid-range Wi-Fi 7 routers. The EN7581 platform now handles PCIe initialization correctly and gains x2 lane support, U-Boot lands for EN7581 and AN7583 boards, USB comes online for AN7581, and Ethernet hardware offload is fixed when GDM2 is present. An I2S audio driver kernel panic on AN7581 is also resolved. Smaller cleanups touch the Linksys MX5300 (ipq807x), the Xiaomi Mi Router AC2100 (mt7621), and a Lantiq MTD partition parser refcount and memory leak.

Two known issues are worth flagging before flashing. LEDs on Airoha AN8855 switches remain unsupported, so devices like the Xiaomi AX3000T will have dark switch LEDs until a follow-up snapshot lands. And 5 GHz Wi-Fi continues to misbehave on certain ath10k boards, including the Phicomm K2T and TP-Link Archer C60 v3, tracked in issue #14541. Sysupgrade from 23.05 to 24.10 preserves configuration in most cases, but ipq806x users still need a clean install due to the switch from swconfig to DSA, and Linksys E8450, Xiaomi AX3200, and Zyxel GS1900 owners on 23.05 or older should consult the wiki before pulling the trigger.

Images are available through the OpenWrt Firmware Selector or directly from the download servers, with the full changelog covering everything not summarized above.

Related Articles

Armbian 26.5.1 Expands ARM Board Support and Ubuntu 26.04 Integration

OpenZFS 2.4.2 Lands With Linux 7.1 Compatibility and dRAID Corruption Fixes

OpenZFS 2.3.7 Lands With dRAID Stability Fixes and Linux 7.0 Support

Linux 7.1-rc2 Fixes Two-Year-Old Steam Deck OLED Audio Bug