It looks like this was fixed upstream earlier this year in this commit:
https://gitlab.com/NTPsec/ntpsec/-/commit/9931ebb3d1418b648f80510a86520a4d11bab3d6
The relevant bit is the change to ctl_putarray() to set buffer[0] = 0;
It does not appear that this fix has appeared in a release yet.
Exposing stack garbage like this runs the hard-to-quantify risk that
keying material could be exposed over the network.
See also https://gitlab.com/NTPsec/ntpsec/-/issues/806 which is another
manifestation of this bug (depending on the stack garbage, it can cause
other ntpq subcommands to fail).
