The Server-Server protocol implementation in ngIRCd before 26~rc2 allows an out-of-bounds access, as demonstrated by the IRC_NJOIN() function.
Maintainer, please bump.
Bleh. Upstream's view is understandable. We cannot do much for now.
From upstream (https://github.com/ngircd/ngircd/pull/276#issuecomment-636494495):
"For ngIRCd 26 … nothing, I guess: as this seems to only affect the server-server protocol (which is „trusted by design“, we don’t have to handle invalid input here, this is bad practice, but as already pointed out, „by design“ – so removing this bug from the milestone)."