{
  "parent_root_cause": "CVE-2026-35025: ProFTPD's dir_canonical_path() performs only lexical path cleaning and does not resolve symlinks such as /proc/self/root. When the resulting canonical path is passed to dir_check(), the lexical <Directory> match misses the intended DenyAll block, allowing access-control bypass.",
  "variant_root_cause": "The same lexical canonicalization weakness is reached through the DELE command handler (core_dele in modules/mod_core.c), which calls dir_canonical_path() and then dir_check() on the result. A /proc/self/root-prefixed DELE path therefore misses the protected <Directory> block and deletes the file at the resolved real path.",
  "equivalence_reasoning": [
    "Both variants use the same sink: dir_check() on the output of dir_canonical_path() in modules/mod_core.c.",
    "Both variants rely on the same attacker-controlled input: a /proc/self/root prefix in a filesystem path argument.",
    "Both variants exploit the same failure: lexical <Directory> matching after symlink-preserving canonicalization.",
    "Both variants require the same trust boundary and environment: authenticated FTP session, non-chrooted server, DenyAll Directory ACL.",
    "The proposed RNFR-only fix (dir_check->dir_check_canon in core_rnfr) does not change core_dele(), so the variant still reproduces on the patched code path."
  ],
  "confidence": "high",
  "divergences": [
    "The parent exploit uses RNFR/RNTO to rename and retrieve a protected file; the variant uses DELE to delete a protected file.",
    "The impact class is therefore file deletion rather than file rename/retrieval."
  ]
}
