{
  "same_root_cause": true,
  "confidence": "high",
  "parent_path": {
    "message_type": "FUSE_READDIR",
    "parser": "fs/fuse/readdir.c:parse_dirfile()",
    "sink": "fs/fuse/readdir.c:fuse_add_dirent_to_cache()",
    "oversized_length_source": "FUSE_DIRENT_SIZE(dirent) computed from attacker-controlled dirent.namelen=4095"
  },
  "variant_path": {
    "message_type": "FUSE_READDIRPLUS",
    "parser": "fs/fuse/readdir.c:parse_dirplusfile()",
    "sink": "fs/fuse/readdir.c:fuse_add_dirent_to_cache()",
    "oversized_length_source": "FUSE_DIRENT_SIZE(&direntplus->dirent) computed from attacker-controlled embedded dirent.namelen=4095"
  },
  "shared_sink": "fuse_emit() calls fuse_add_dirent_to_cache() for both parser paths when FOPEN_CACHE_DIR is set",
  "shared_failure_mode": "4120-byte memcpy into a single 4096-byte readdir cache page, overflowing 24 bytes into an adjacent page on vulnerable builds",
  "shared_trust_boundary": "local unprivileged attacker-controlled FUSE server response consumed by privileged Linux kernel FUSE code",
  "fix_equivalence": "A sink-level if (reclen > PAGE_SIZE) return guard in fuse_add_dirent_to_cache() blocks both parent and READDIRPLUS variant paths.",
  "runtime_result": "Variant reproduced on vulnerable module and failed closed on fixed module."
}
