We received a downstream bug report about an alleged crash in basename, complete with CVE assignment. However, it looks like the fuzzing process was set up incorrectly and the function just ran off the page because the input string was not NUL-terminated: https://bugzilla.redhat.com/show_bug.cgi?id=1554538 This bug is just a notification/placeholder for tracking.
CVE assignment was premature. There is no bug.