I found another null ptr deref and segfault. This only seems to affect bash 4.4.0 as 4.2.37(1)-release and 4.2.37(1)-release only return a 'bad substitution' error message.
Program received signal SIGSEGV, Segmentation fault.
==40990== Invalid read of size 1
==40990== at 0x5D36B7: get_var_and_type (subst.c:6827)
==40990== by 0x5D36B7: parameter_brace_transform.isra.17 (subst.c:4937)
==40990== by 0x59F65C: parameter_brace_expand (subst.c:8020)
==40990== by 0x5A1EEB: param_expand (subst.c:8384)
==40990== by 0x5C164F: expand_word_internal (subst.c:8936)
==40990== by 0x5C164F: shell_expand_word_list (subst.c:10177)
==40990== by 0x5C164F: expand_word_list_internal (subst.c:10300)
==40990== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==40990== by 0x4B497D: execute_command_internal (execute_cmd.c:813)
==40990== by 0x6B5D61: parse_and_execute (evalstring.c:413)
==40990== by 0x41F7A4: run_one_command (shell.c:1374)
==40990== by 0x4295A9: main (shell.c:699)
==40990== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==40990==
==40990== Process terminating with default action of signal 11 (SIGSEGV)
==40990== Access not within mapped region at address 0x0
==40990== at 0x5D36B7: get_var_and_type (subst.c:6827)
==40990== by 0x5D36B7: parameter_brace_transform.isra.17 (subst.c:4937)
==40990== by 0x59F65C: parameter_brace_expand (subst.c:8020)
==40990== by 0x5A1EEB: param_expand (subst.c:8384)
==40990== by 0x5C164F: expand_word_internal (subst.c:8936)
==40990== by 0x5C164F: shell_expand_word_list (subst.c:10177)
==40990== by 0x5C164F: expand_word_list_internal (subst.c:10300)
==40990== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==40990== by 0x4B497D: execute_command_internal (execute_cmd.c:813)
==40990== by 0x6B5D61: parse_and_execute (evalstring.c:413)
==40990== by 0x41F7A4: run_one_command (shell.c:1374)
==40990== by 0x4295A9: main (shell.c:699)
==40990== If you believe this happened as a result of a stack
==40990== overflow in your program's main thread (unlikely but
==40990== possible), you can try to increase the size of the
==40990== main thread stack using the --main-stacksize= flag.
==40990== The main thread stack size used in this run was 8388608.
Segmentation fault