{
  "variant_id": "cve-2026-27654-variant-analysis-20260528",
  "created_at": "2026-05-28T12:00:00Z",
  "variant_summary": "Systematic variant analysis of CVE-2026-27654 (nginx WebDAV COPY/MOVE heap-buffer-overflow with alias directive). No bypass or distinct variant was found on the fixed version. Multiple alternate triggers (exact match location, nested location, script alias, MOVE method, URL-encoded destination) were confirmed on the vulnerable version and are all correctly rejected by the fix on the fixed version.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/nginx/nginx",
  "submitted_target": {
    "target_kind": "git_tag",
    "version": "1.29.6",
    "ref": "release-1.29.6",
    "display": "nginx release-1.29.6 (vulnerable)"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "commit_sha": "cfee985e52df1a5cc93605ed27001ae1b8cf5037",
    "version": "1.29.7",
    "ref": "release-1.29.7",
    "display": "nginx release-1.29.7 (fixed)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "WebDAV COPY/MOVE requests to nginx locations using the alias directive with a Destination header shorter than the location prefix",
  "validated_surface": "Same surface as claimed. Alternate triggers tested: exact-match locations, nested locations, script aliases, MOVE method, URL-encoded Destination headers. All reach the same root-cause underflow in ngx_http_map_uri_to_path() on the vulnerable version and are all rejected by the fix on the fixed version.",
  "required_entrypoint_kind": "http_request",
  "required_entrypoint_detail": "HTTP COPY or MOVE request to a DAV-enabled location using the alias directive, with a Destination header URI shorter than the location prefix length",
  "attacker_controlled_input": "HTTP Destination header URI path",
  "trigger_path": "ngx_http_dav_handler -> ngx_http_dav_copy_move_handler -> ngx_http_map_uri_to_path (line 1987 in ngx_http_core_module.c)",
  "observed_impact_class": "denial_of_service",
  "exploitability_confidence": "high",
  "evidence_scope": "fixed_version_tested",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "file_path": "src/http/modules/ngx_http_dav_module.c",
  "line_start": 645,
  "line_end": 653,
  "secondary_anchors": [
    {
      "file_path": "src/http/ngx_http_core_module.c",
      "line_start": 1987,
      "line_end": 1987
    },
    {
      "file_path": "src/http/modules/ngx_http_dav_module.c",
      "line_start": 713,
      "line_end": 720
    }
  ],
  "review_scope_paths": [
    "src/http/modules/ngx_http_dav_module.c",
    "src/http/ngx_http_core_module.c",
    "src/http/modules/ngx_http_try_files_module.c",
    "src/http/ngx_http_script.c"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "vuln_variant/runtime_manifest.json",
    "repro_log": "logs/variant_final.log",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": ["vuln_variant/reproduction_steps.sh"]
  }
}