{
  "verdict": "no_variant_found",
  "confirmed": false,
  "bypass_confirmed": false,
  "alt_trigger_confirmed": false,
  "variant_type": "none",
  "summary": "No bypass or distinct alternate trigger for CVE-2026-54500 was found. The fix (intern.c form_attr buf->b, commit bbde91a, v3.17.3) fully closes the only reachable copy of the vulnerable sink. An exhaustive 11-mode empirical sweep on both the vulnerable (495cc38, v3.17.2) and fixed (bbde91a, v3.17.3) versions confirms that only Oj.load :object mode leaks, and only on the vulnerable version. All other modes (compat, rails, strict, null, wab, custom) and the newer Oj::Parser API (:usual with/without create_id, symbol-cached) are clean on both versions.",
  "tested_versions": {
    "vulnerable": {
      "commit_sha": "495cc38fc5a02681da2175960d4a667fae48f3c9",
      "version": "3.17.2",
      "ref": "v3.17.2"
    },
    "fixed": {
      "commit_sha": "bbde91a679728f94c4492ebc3683f4fa3309049f",
      "version": "3.17.3",
      "ref": "v3.17.3"
    }
  },
  "sweep_results": {
    "modes_tested": [
      "object",
      "compat_obj",
      "compat_hash",
      "rails",
      "strict",
      "null",
      "wab",
      "custom",
      "np_usual_obj",
      "np_usual_hash",
      "np_usual_obj_symcache"
    ],
    "runs_per_mode": 4,
    "key_len": 300,
    "vulnerable_leaking_modes": ["object"],
    "fixed_leaking_modes": [],
    "object_mode_vulnerable_evidence": {
      "outcome": "encoding_error",
      "msg_len_range": "1271-1432",
      "non_a_bytes_range": "1250-1426",
      "per_run_variation": true,
      "interpretation": "uninitialized stack memory (non-deterministic) leaked via EncodingError message"
    },
    "object_mode_fixed_evidence": {
      "outcome": "correct",
      "ivar_len": 301,
      "first_bytes": "40414141...",
      "deterministic": true
    }
  },
  "fix_coverage_assessment": {
    "fix_commit": "bbde91a679728f94c4492ebc3683f4fa3309049f",
    "fix_complete": true,
    "only_reachable_sink": "ext/oj/intern.c:form_attr() long-key path (len>=254)",
    "only_reachable_path": "Oj.load(:object) -> object.c:oj_set_obj_ivar -> intern.c:oj_attr_intern -> cache.c:cache_intern -> intern.c:form_attr",
    "duplicate_copy_status": "usual.c:form_attr already fixed in ec368dbe936ef0104b782e4b0f67b17d6c7276f7 (#1014), ancestor of v3.17.2",
    "third_copy_exists": false,
    "newer_parser_object_mode": "unimplemented (// TBD placeholder, parser.c:1263)"
  },
  "blocking_mitigation": "The one-character fix (rb_intern3(buf,...) -> rb_intern3(b,...) in intern.c:form_attr long-key path) eliminates the only reachable uninitialized-stack read. No other parse mode reaches intern.c:form_attr, and the duplicate usual.c:form_attr was already fixed before v3.17.2.",
  "out_of_scope_notes": [
    "fast.c doc_each_child depth-overflow fix bundled in the same commit bbde91a is a separate bug (different root cause/sink/impact), NOT a variant of CVE-2026-54500.",
    "Oj::Parser.new(:object) is an unimplemented // TBD placeholder, not a reachable entry point."
  ],
  "evidence_refs": {
    "repro_script": "bundle/vuln_variant/reproduction_steps.sh",
    "probe": "bundle/vuln_variant/probe_variant.rb",
    "log": "bundle/logs/vuln_variant_repro.log",
    "vuln_outcomes": "bundle/logs/vuln_variant_outcomes.txt",
    "fixed_outcomes": "bundle/logs/fixed_variant_outcomes.txt",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "patch_analysis": "bundle/vuln_variant/patch_analysis.md",
    "rca_report": "bundle/vuln_variant/rca_report.md"
  },
  "idempotency": {
    "runs": 2,
    "both_completed_without_crash": true,
    "both_exit_code": 1,
    "repo_restored_to": "bbde91a679728f94c4492ebc3683f4fa3309049f"
  }
}
