From $URL: The Server-Server protocol implementation in ngIRCd before 26~rc2 allows an out-of-bounds access, as demonstrated by the IRC_NJOIN() function. Maintainer, please bump.
Bleh. Upstream's view is understandable. We cannot do much for now. From upstream (https://github.com/ngircd/ngircd/pull/276#issuecomment-636494495): "For ngIRCd 26 … nothing, I guess: as this seems to only affect the server-server protocol (which is „trusted by design“, we don’t have to handle invalid input here, this is bad practice, but as already pointed out, „by design“ – so removing this bug from the milestone)."
Upstream doesn't think this is a real security bug, and I too am skeptical that a malicious esrver in the network is a real security issue since other servers in the network are implicitly trusted. Upstream also doesn't think there's a proper way to fix this, so there's really not much we can do here. I'm going to close this as invalid for now and reopen if there's ever any movement upstream.
Upstream has officially WONTFIX'd.