Openwrt

OpenWrt LuCI XSS in Wireless Scan Modal (v24.10.5/25.12.0)
CVE-2026-32721 8.6 - High - March 19, 2026

LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.

XSS

OpenWrt <24.10.6: hotplug CALL PATH bypass for privilege escalation
CVE-2026-30874 - March 19, 2026

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.

Partial String Comparison

OpenWrt jp_get_token Mem Leak (V<=24.10.5, V<=25.12.0)
CVE-2026-30873 - March 19, 2026

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1.

Memory Leak

Buffer Overflow in OpenWrt mdns (v24.10.5, v25.12.0)
CVE-2026-30872 - March 19, 2026

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1.

Stack Overflow

OpenWrt mDNS Daemon Stack Buffer Overflow (pre-24.10.6/25.12.1)
CVE-2026-30871 - March 19, 2026

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1.

Stack Overflow

OpenWrt ubusd Heap Buffer Overflow (pre-24.10.4) Arbitrary Code Exec
CVE-2025-62526 7.9 - High - October 22, 2025

OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon. The affected code is executed before running the ACL checks, all ubus clients are able to send such messages. In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL. This is fixed in OpenWrt 24.10.4. There are no workarounds.

Heap-based Buffer Overflow

OpenWrt ltq-ptm ioc admin -> arbitrary kernel mem R/W (v<24.10.4)
CVE-2025-62525 7.9 - High - October 22, 2025

OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, local users could read and write arbitrary kernel memory using the ioctls of the ltq-ptm driver which is used to drive the datapath of the DSL line. This only effects the lantiq target supporting xrx200, danube and amazon SoCs from Lantiq/Intel/MaxLinear with the DSL in PTM mode. The DSL driver for the VRX518 is not affected. ATM mode is also not affected. Most VDSL lines use PTM mode and most ADSL lines use ATM mode. OpenWrt is normally running as a single user system, but some services are sandboxed. This vulnerability could allow attackers to escape a ujail sandbox or other contains. This is fixed in OpenWrt 24.10.4. There are no workarounds.

Improper Input Validation

Android Device Admin API OOB Write LPE via Physical Access
CVE-2025-20696 - August 04, 2025

In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09915215; Issue ID: MSV-3801.

Memory Corruption

Microsoft WLAN AP Driver OOB Write Priv Esc
CVE-2025-20683 - July 08, 2025

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00416938; Issue ID: MSV-3444.

Memory Corruption

BT Firmware Uncaught Exception Remote DoS
CVE-2025-20695 - July 08, 2025

In Bluetooth FW, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09741871; Issue ID: MSV-3317.

Memory Corruption

Win BT FW Uncaught Exc -> Remote DoS
CVE-2025-20694 - July 08, 2025

In Bluetooth FW, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09752821; Issue ID: MSV-3342.

buffer underrun

Out-of-Bounds Read in Alps WLAN STA Driver Causing Info Disclosure
CVE-2025-20693 - July 08, 2025

In wlan STA driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09812521; Issue ID: MSV-3421.

Out-of-bounds Read

Out-of-Bounds Read in Windows WLAN AP Driver
CVE-2025-20692 - July 08, 2025

In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418040; Issue ID: MSV-3476.

Out-of-bounds Read

Out-of-Bounds Read in Microsoft WLAN Driver Enables Local Disclosure
CVE-2025-20691 - July 08, 2025

In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418039; Issue ID: MSV-3477.

Out-of-bounds Read

WLAN AP Driver OOB Read (CVE-2025-20690)
CVE-2025-20690 - July 08, 2025

In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418038; Issue ID: MSV-3478.

Out-of-bounds Read

OOB Read in WLAN AP Driver Enables Local Info Disclosure
CVE-2025-20689 - July 08, 2025

In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418048; Issue ID: MSV-3479.

Out-of-bounds Read

Microsoft WLAN AP Driver OOB Read causes local info disclosure
CVE-2025-20688 - July 08, 2025

In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418047; Issue ID: MSV-3480.

Out-of-bounds Read

Out-of-Bounds Write in Windows WLAN AP Driver Enables Local Privilege Escalation
CVE-2025-20682 - July 08, 2025

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00416937; Issue ID: MSV-3445.

Memory Corruption

Local PrivEsc via OOB Write in WLAN AP Driver
CVE-2025-20681 - July 08, 2025

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00416936; Issue ID: MSV-3446.

Memory Corruption

CVE-2025-20656: OOB Write in DA Enables Physical Local Priv Esc Escalation
CVE-2025-20656 - April 07, 2025

In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09625423; Issue ID: MSV-3033.

Memory Corruption

Transient DOS in OpenWrt UCI Command Processing
CVE-2024-53025 5.5 - Medium - March 03, 2025

Transient DOS can occur while processing UCI command.

Integer Overflow or Wraparound

Local Priv Esc via OOB Write in ALPS Driver (CVE-2025-20650)
CVE-2025-20650 - March 03, 2025

In da, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09291294; Issue ID: MSV-2061.

Memory Corruption

Microsoft Windows BT Stack Info Disclosure via Missing Permission Check
CVE-2025-20649 - March 03, 2025

In Bluetooth Stack SW, there is a possible information disclosure due to a missing permission check. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00396437; Issue ID: MSV-2184.

Local Info Disclosure via OOB Read in 'da' Component
CVE-2025-20651 - March 03, 2025

In da, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09291294; Issue ID: MSV-2062.

V6 DA OOB Write: Local Priv Escalation via Physical Access
CVE-2025-20635 6.6 - Medium - February 03, 2025

In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09403752; Issue ID: MSV-2434.

Memory Corruption

MediaTek BT FW reachable assertion leads to remote DoS
CVE-2024-20147 - February 03, 2025

In Bluetooth FW, there is a possible reachable assertion due to improper exception handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00389046 (Note: For MT79XX chipsets) / ALPS09136501 (Note: For MT2737, MT3603, MT6XXX, and MT8XXX chipsets); Issue ID: MSV-1797.

Microsoft WLAN Driver Assertion Failure DoS via Improper Exception Handling
CVE-2024-20152 - January 06, 2025

In wlan STA driver, there is a possible reachable assertion due to improper exception handling. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00389047 / ALPS09136505; Issue ID: MSV-1798.

assertion failure

V6 DA Driver OOB Write Enables Local Priv Escalation
CVE-2024-20143 - January 06, 2025

In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09167056; Issue ID: MSV-2069.

Memory Corruption

ALPS V6 DA OOB Write for Local Priv Escalation
CVE-2024-20144 - January 06, 2025

In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09167056; Issue ID: MSV-2041.

Memory Corruption

WCNCR WLAN STA Driver OOB Write Remote Code Exec
CVE-2024-20146 - January 06, 2025

In wlan STA driver, there is a possible out of bounds write due to improper input validation. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00389496 / ALPS09137491; Issue ID: MSV-1835.

Memory Corruption

V6 DA OOB Write Enables Local Priv Escalation
CVE-2024-20145 - January 06, 2025

In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09290940; Issue ID: MSV-2040.

Memory Corruption

OpenWrt Image on Demand Server SHA-256 Hash Truncation Vulnerability
CVE-2024-54143 - December 06, 2024

openwrt/asu is an image on demand server for OpenWrt based distributions. The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users. This can be combined with other attacks, such as a command injection in Imagebuilder that allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key. This has been patched with 920c8a1.

Reversible One-Way Hash

MediaTek da Out-of-Bounds Read Vulnerability
CVE-2024-20136 - December 02, 2024

In da, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09121847; Issue ID: MSV-1821.

Out-of-bounds Read

Da Out of Bounds Read Vulnerability in Memory Management
CVE-2024-20107 - November 04, 2024

In da, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09124360; Issue ID: MSV-1823.

Out-of-bounds Read

MediaTek Da Out-of-Bounds Write Vulnerability
CVE-2024-20104 - November 04, 2024

In da, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09073261; Issue ID: MSV-1772.

Memory Corruption

Windows Power OOB Read Local Info Disclosure (Requires SYSTEM)
CVE-2024-20085 4.4 - Medium - September 02, 2024

In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08944204; Issue ID: MSV-1560.

Out-of-bounds Read

MS Windows PowerShell OOB Read for Local Info Disclosure
CVE-2024-20084 4.4 - Medium - September 02, 2024

In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08944210; Issue ID: MSV-1561.

Out-of-bounds Read

Android GNSS Service OOB Write Local Priv Escalation
CVE-2024-20081 6.7 - Medium - July 01, 2024

In gnss service, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08719602; Issue ID: MSV-1412.

Memory Corruption

Windows WLAN Service OOB Write Allows Local Escalation
CVE-2024-20073 - June 03, 2024

In wlan service, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00367704; Issue ID: MSV-1411.

Memory Corruption

Microsoft Windows WLAN Driver OOB Write Priv Escalation
CVE-2024-20072 - June 03, 2024

In wlan driver, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00364732; Issue ID: MSV-1332.

Memory Corruption

Microsoft Windows WLAN Driver OOB Read Local Info Disclosure
CVE-2024-20071 - June 03, 2024

In wlan driver, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00364733; Issue ID: MSV-1331.

Out-of-bounds Read

Off-Path TCP Hijacking via nf_conntrack_tcp_no_window_check in OpenWrt 18.06+
CVE-2023-30312 - May 28, 2024

An issue discovered in OpenWrt 18.06, 19.07, 21.02, 22.03, and beyond allows off-path attackers to hijack TCP sessions, which could lead to a denial of service, impersonating the client to the server (e.g., for access to files over FTP), and impersonating the server to the client (e.g., to deliver false information from a finance website). This occurs because nf_conntrack_tcp_no_window_check is true by default.

Android preloader Priv Esc via insecure default
CVE-2024-20056 - May 06, 2024

In preloader, there is a possible escalation of privilege due to an insecure default value. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08528185; Issue ID: ALPS08528185.

MS Windows Device Administration Permission Bypass Local Priv Escalation
CVE-2023-32871 - May 06, 2024

In DA, there is a possible permission bypass due to an incorrect status check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08355514; Issue ID: ALPS08355514.

Improper Check for Unusual or Exceptional Conditions

CVE-2024-20050: flashc Local Info Disclosure via Uncaught Exception
CVE-2024-20050 - April 01, 2024

In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541757; Issue ID: ALPS08541757.

Local DoS via uncaught exception in flashc
CVE-2024-20051 - April 01, 2024

In flashc, there is a possible system crash due to an uncaught exception. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541757; Issue ID: ALPS08541758.

FlashC Uncaught Exception Enables Local Info Disclosure (CVE-2024-20049)
CVE-2024-20049 - April 01, 2024

In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541765; Issue ID: ALPS08541765.

Remote OOB Write in MediaTek MT6XXX/MT79XX WLAN Firmware
CVE-2024-20040 - April 01, 2024

In wlan firmware, there is a possible out of bounds write due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08360153 (for MT6XXX chipsets) / WCNCR00363530 (for MT79XX chipsets); Issue ID: MSV-979.

CVE-2024-20054: GNSSe EtP via Missing Bounds Check
CVE-2024-20054 - April 01, 2024

In gnss, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08580200; Issue ID: ALPS08580200.

flashc OOB Write in Uncaught Exception Leads to Local Priv Escalation
CVE-2024-20053 - April 01, 2024

In flashc, there is a possible out of bounds write due to an uncaught exception. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541757; Issue ID: ALPS08541764.