There were several CVE issued for ntp 4.2.8p15:
CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554, CVE-2023-26555
As of now I don’t find any discussion about the impact (or if it’s remotely executable at all).
The archive at list.ntp.org are a mess (partially empty). ntpsec doesn’t seem to be affected…
The first four CVEs refer to the function mstolfp(), which is defined in libntp/mstolfp.c (not existing in ntpsec!), but is not called by ntpd itself (not even indirectly), but only by the command line tool ntpq, for formatting the output, if I see it correctly. I think a remote attack on a running ntpd is impossible, at most a malicious server can use it to attack a user calling ntpq.
The last CVE should have even less relevance for the general public, because the bug is in the driver for a certain GPS receiver. So only those who have such a receiver can be attacked, and then probably only via a manipulated firmware in the receiver.