A flaw has been found in the Linux kernel that can make it easier to perform DNS cache poisoning attacks.
It you cannot upgrade, there is a mitigation: in the firewall configuration, change the input policy of the WAN firewall zone from
DROP and reload the firewall configuration. This will prevent sending ICMP errors to hosts on the Internet and suppress the attack vector. Note: you don't need to do this if you have already upgraded to a fixed version of OpenWrt.
Full advisory: https://openwrt.org/advisory/2020-12-09-1