Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule. References: https://nlnetlabs.nl/downloads/unbound/CVE-2019-16866.txt https://github.com/NLnetLabs/unbound/blob/7dfbcdf276e7a1070978209d2533b3b8cc504f86/doc/Changelog
Statement: This issue has been classified as having low security impact because: - per default, unbound is not configured to listen on a public interface - per default, the ACL is limited to localhost, so even if listening to a public interface, the crash cannot happen per default It mostly affects people running unbound as a "public" DNS resolver. Using such configurations, unbound has no valuable secrets that could be obtained by a successful attack, so at best the server crashes and restarts, resulting in an empty DNS cache. Sustained sending of packets would result in a DoS though.
External References: https://nlnetlabs.nl/downloads/unbound/CVE-2019-16866.txt