OpenWrt 24.10.6 released - fixes MANY CVE's

Router
1

A security audit has found many issues. These have been patched on 24.10.6.

Flint 2’s Openwrt 24 is still based on 24.10.4 dating to November.

Will there be a release soon to fix all these security issues?

EDIT: OpenWrt 25.12.1 has also been released to fix similar CVE’s.

4 Likes
2

I think they will back port the changes to the next 4.9 release.

3

Hi

Thank you for the report.

  1. For the OpenWrt version, we will release a new firmware may v4.9.x-op25 after the v4.9 firmware to address these issues.
  2. For the closed-source stock firmware, we will have the development team review whether these issues have any impact and whether fixes are needed, and include them in future updates if applicable.

Based on a preliminary assessment:

  • CVE-2026-30871: No impact, as we do not use umdns
  • CVE-2026-30872: No impact, as we do not use umdns
  • CVE-2026-30873: No impact, as we do not use jsonpath
  • CVE-2026-30874: No impact, as this is a privilege escalation issue, but only the root user is available by default, so there are no lower privileges to escalate from
  • CVE-2026-32721: Requires further review by the development team. However, it is related only to LuCI’s Wi-Fi scanning; if you are using the GL.iNet UI’s Repeater feature instead, there should be no impact.
5 Likes
4

Also the latest release of OpenWrt still needs some fixes btw but maybe OpenWrt team is gonna backport these.

These where all regressions to mt76 and hostapd where wifi had really bad performance.

The row of fixes: c949d0e6c6c24e2bbef58f519816a4d45502f73e ~ 49715596f9c821a86698928383b61c9da59f7249

GitHub - openwrt/openwrt at 2f1537443fe6bcb235c1425b2ab1850f2cbf70b8 · GitHub see commits section for a rough list.

it has been fixed in the OpenWrt master branch.

I had this for a week and the wifi felt like a DoS even when speedtest and other services reported fine, but everything was extremely delayed, even opening the edit window on this forum delayed with 2 seconds.