A stack buffer overflow that a network-adjacent attacker can trigger with a crafted DHCPv6 REQUEST packet sits at the top of the fixes in OpenWrt 25.12.5, the fifth service release in the open source router firmware's current stable series. Tracked as CVE-2026-53921 and rated Critical, the flaw lives in odhcpd, the DHCPv6/DHCPv4/RA server that ships enabled by default, meaning most installations are exposed out of the box. The same update closes a use-after-free, a stack memory disclosure, and a pre-auth denial of service in the same daemon, along with an NDP relay bug that let off-link attackers spoof Neighbor Solicitation packets in violation of RFC 4861. The project is telling everyone to upgrade.

The LuCI web interface accounts for the longest list of patches. A command injection in luci-app-tailscale-community carries a CVSS score of 9.9 and let delegated users run commands as root through tailscale.do_login, and a cluster of related issues in luci-app-advanced-reboot, luci-app-adblock-fast, luci-app-samba4, and luci-app-travelmate followed similar privilege-escalation paths from limited accounts to root command execution. Several stored cross-site scripting bugs were also fixed, including one where an unauthenticated DHCPv6 client could inject JavaScript into the leases status page through a crafted FQDN hostname, and another reaching the UPnP status view via a port-mapping description. On the server side, the uhttpd web server received fixes for three HTTP request smuggling issues on keep-alive connections, and a path-traversal flaw in cgi-io that allowed an authenticated user with wildcard read permission to read any root-readable file, /etc/shadow included, was closed.

Underneath the userspace patches, the release bumps the Linux kernel from 6.12.87 to 6.12.94, pulling in the upstream 6.12.88 through 6.12.94 stable fixes and CVE-2026-43500. OpenSSL moves to 3.5.7 with roughly fifteen CVE fixes, dnsmasq jumps from 2.91 to 2.93, and there are backported security fixes for musl libc and dropbear, the latter picking up a patch for the long-standing CVE-2019-6111 scp file-overwrite issue. The build system itself got attention too: matching the linker's max-page-size to the target page size trims padding to produce slightly smaller images, and OpenWrt builds are now more reproducible.

Eleven new devices gain support, weighted heavily toward MediaTek's Filogic platform, including the GL.iNET GL-MT3600BE, JioRouter AX6000, netis EAP930 V1 and MEX605, TP-Link F65 v1, and Zbtlink ZBT-Z8106AX-S, alongside the Linksys MR9000 on ipq40xx and the Zyxel NAS326 on mvebu. A new "network" LED trigger arrives for link and activity indication on supported hardware, and wifi-scripts fixes address a null dereference on 6 GHz-only radios and broken EAP (802.1X) station mode. A few known issues remain worth checking before flashing: Pixel 10 phones still struggle to connect to WPA3-protected WiFi 6 access points, 802.11r Fast Transition can break some clients under WPA3, and SQM CAKE MQ throughput may drop on certain configurations after this release's scheduler changes.

Images are available now through the OpenWrt Firmware Selector or directly from the download servers. Upgrades within the 25.12 series support Attended Sysupgrade to preserve installed packages, though a handful of devices, among them the TP-Link RE355 and RE450, the Meraki MX60, and the Bananapi BPI-R4, need manual steps documented in the full release notes.