{
  "verdict": "no_variant_found",
  "verdict_timestamp": "2026-05-28T12:00:00Z",
  "tested_variant_count": 6,
  "bypass_found": false,
  "distinct_variant_found": false,
  "summary": "Exhaustive variant testing against the fixed nginx version (release-1.29.7, commit cfee985) found no bypass or distinct variant of CVE-2026-27654. Six alternate trigger configurations were tested on both vulnerable and fixed versions: (1) prefix location, (2) exact-match location, (3) nested location, (4) script alias, (5) MOVE method, (6) URL-encoded Destination header. All six triggered the heap-buffer-overflow root cause on the vulnerable version and were correctly rejected with HTTP 400 by the fixed version. No ASAN errors were observed on the fixed version for any trigger.",
  "blocking_mitigation": "The fix (commit 9739e75) adds a precise length validation in ngx_http_dav_copy_move_handler() that rejects any COPY/MOVE request where the parsed Destination URI is shorter than the location alias prefix length (clcf->alias). This directly prevents the size_t underflow in ngx_http_map_uri_to_path(). Since no other code path in the nginx codebase temporarily substitutes attacker-controlled data into r->uri before calling ngx_http_map_uri_to_path(), there is no alternate entry point to bypass this validation.",
  "fix_completeness_assessment": "complete",
  "tested_commit": "cfee985e52df1a5cc93605ed27001ae1b8cf5037"
}