Linux kernel: fixes CVE-2026-31431 ("Copy Fail"). In earlier releases this only affected users on the starfive target and users who had installed kmod-crypto-user.
mbedtls: update to 3.6.6 (multiple CVE fixes)
OpenSSL: update to 3.5.6 (multiple CVE fixes)
wolfSSL: update to 5.9.1 (multiple CVE fixes)
Flint 2 seems to be falling further and further behind current OpenWRT.
When will GL6000 OpenWRT 24 users get GL-inet firmware newer than November 2025?
They said it’s in the pipeline but not high priority atm. I personally used op25.12 vanilla and it was quite stable.
Flint 3 is still on OpenWrt 23.5, it’s concerning. They are pumping out new hardware left and right while the software is lagging waaaaay behind.
…is not compatible with vanilla Openwrt as downloadable from the openwrt website.
At least with Flint 2, if GL-inet firmware ceases to be updated for it, we can just go full openwrt.
Which would be a loss, as I like the improved usability of GL-inet’s firmware interface.
That’s the concerning part.
Openwrt 25.12.4 now out:
dnsmasq: backport six upstream CVE-fix patches to dnsmasq 2.91:
CVE-2026-2291: heap buffer overflow in DNS domain-name
handling.CVE-2026-4890 / CVE-2026-4891: DNSSEC crashes via crafted NSEC
bitmaps / RRSIG packets.CVE-2026-4892: buffer overflow on large DHCPv6
CLIDs (only with --dhcp-script).CVE-2026-4893: broken EDNS Client Subnet validation.CVE-2026-5172: buffer overflow in extract_addresses() on crafted resource records.
Linux kernel: CVE-2026-43284 ("Dirty Frag") — local privilege escalation via the IPsec ESP path. Only relevant on devices with kmod-ipsec / esp4/esp6 loaded. Fixed via the 6.12.87 kernel update.
These were considered critical enough for a new point update from OpenWRT
Hope this is not the case with future releases.