Unbound before 1.9.5 allows an assertion failure and denial of service in synth_cname. Reference: https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
I no longer have permission to close this bug, or see what is blocking this. But it's an old resolved issue
Upstream patch: https://github.com/NLnetLabs/unbound/commit/f5e06689d193619c57c33270c83f5e40781a261d
Statement: This issue could not be triggered by running unbound regularly, but only by injecting the packet directly to the vulnerable function through fuzzing. For this reason its Impact is Moderate.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1853 https://access.redhat.com/errata/RHSA-2021:1853
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-25036
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0632 https://access.redhat.com/errata/RHSA-2022:0632