See Security old for the old page.

This page lists the processes, tools and mechanisms OpenWrt uses to the security of OpenWrt. This covers the OpenWrt distribution with the official package feeds hosted at and also the OpenWrt specific tools hosted at like procd, ubus and libubox

Security bugs should be reported in confidentiality to, see Reporting security bugs for details.

This only lists security advisories for components maintained directly by the OpenWrt team. This does not list all fixed security problems in third party components used by OpenWrt which can also affect the security of OpenWrt. We do not list known security problems in the Linux kernel, openssl and other third party components even when they affect use cases relevant for OpenWrt. The OpenWrt team monitors the upstream projects and backports security fixes for components used in the OpenWrt core repository to still supported OpenWrt versions. For example 159 CVEs were assigned to the Linux kernel in 2021 alone, OpenWrt regularly updates the minor Linux kernel version to get the recent fixes.

This lists the currently support or not supported OpenWrt versions.

Version Current status Projected EoL
23.05 Fully supported 2025, March
22.03 Security maintenance 2024, April
21.02 End of life 2023, May
19.07 End of life 2022, April
18.06 End of life 2020, December
17.01 End of life 2018, September
15.05 End of life 2016, March

The projected EoL can be extended later, depending on the future situation, like the release date of the next release.

The Version references the most recent stable version from this release branch.

  • Fully supported means that the OpenWrt team provides updates for the core packages fixing security and other problems we are aware of.
  • Security maintenance means that the OpenWrt team fixes only security problems in this release but no bugs any more.
  • End of life means that we will *not* provide any updates also for severe security problem. Please update to more recent versions.

A OpenWrt major version will get into fully supported status after it was initially released. When the next OpenWrt major version is released the old version will move into security maintenance mode. A OpenWrt major version will move into end of life 1 year after the initial release or 6 months after the release of the next major versions. The later date will be used. We plan to do a final minor release at the end of the support cycle.

This only covers the core OpenWrt packages and not the external package feeds hosted on GitHub. Some feed package maintainer do not take care of all OpenWrt versions where the the core components are still supported. For the best security support we suggest everyone to upgrade to the most recent stable version.

The OpenWrt project uses multiple tools to identify potential security problems. The information are normally available for everyone and we appreciate fixes for problems reported by these tools form everyone.

The uscan report shows the version number of all packages from the base and the package repository and compares it against the recent upstream released versions. In addition the tool which generates this page also checks for existing CVEs assigned to the packages based on the Common Platform Enumeration (CPE) which is listed in the PKG_CPE_ID variable of many packages. That page is updated weekly for master and the active release branches.

OpenWrt uses the commercial Coverity Scan tool which is available for free to open source projects to do static code analyses on the OpenWrt components. This scans one OpenWrt build per week and reports the problems found in the components developed in the OpenWrt project like procd and ubus, but not on (patched) third party components.

The reproducible builds project checks that OpenWrt master is still reproducible. This proves that the produced releases really match the delivered source code and no backdoors were introduced in the build process.

OpenWrt operates multiple build bot instances which are building snapshots of the master and the supported release branches.

When a change to a package is committed to the OpenWrt base repository of package feed, the build bots are automatically detecting this change and will rebuild this package. The newly built package can then be installed with opkg or be integrated with the image builder by users of OpenWrt. This allows us to ship updates in about 2 days to the end users.

The kernel is normally located in its own partition and upgrades are not so easily possible. Therefore this mechanism currently does not work for the kernel itself and kernel modules and a new minor release is needed to ship fixes to end users.

OpenWrt activates some build hardening options in the build configuration at compile time for all package builds. Note that individual packages and/or targets may ignore or otherwise not respect these settings.

.config line Enabled by default Notes
CONFIG_PKG_CHECK_FORMAT_SECURITY=y Yes -Wformat -Werror=format-security
CONFIG_PKG_CC_STACKPROTECTOR_STRONG=y No -fstack-protector-strong
CONFIG_PKG_FORTIFY_SOURCE_1=y Yes -D_FORTIFY_SOURCE=1 (Using fortify-headers for musl libc)
CONFIG_PKG_FORTIFY_SOURCE_2=y No -D_FORTIFY_SOURCE=2 (Using fortify-headers for musl libc)
CONFIG_PKG_RELRO_FULL=y Yes -Wl,-z,now -Wl,-z,relro
CONFIG_PKG_ASLR_PIE_REGULAR=y Yes -fPIC CFLAGS and -specs=hardened-build-ld LDFLAGS
PIE is activated for some binaries, mostly network exposed applications
CONFIG_PKG_ASLR_PIE_ALL=y No PIE is activated for all applications
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/12/04 23:38
  • by hauke