InspIRCd Security Advisory 2024-01


The spanningtree module before v4.0.1 contains a null pointer dereference. When the chanhistory module is also loaded this vulnerability can be used to remotely crash a InspIRCd server by any user able to connect to a server and set channel modes.

Thanks to @RobCubed for reporting this issue.

Affected Versions

This vulnerability is present in the following releases:

This vulnerability is fixed in version 4.0.1. It is strongly recommended that all affected users upgrade.

If upgrading is not possible then the spanningtree module should be unloaded. If this is also not possible then the chanhistory module should be unloaded.