{
  "entrypoint_kind": "local_kernel_runtime",
  "entrypoint_detail": "QEMU-booted Linux FUSE READDIRPLUS path; malicious FUSE daemon advertises FUSE_DO_READDIRPLUS and returns a direntplus with embedded dirent namelen=4095",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "qemu-system-x86_64",
    "linux-kernel-non-KASAN",
    "fuse.ko",
    "ext4-rootfs",
    "busybox-init",
    "malicious-FUSE-READDIRPLUS-daemon"
  ],
  "tested_kernel_version": "6.18.18\r",
  "source_version": "6.18.18.",
  "proof_artifacts": [
    "logs/vuln_variant/readdirplus_variant.log",
    "logs/vuln_variant/qemu_readdirplus_vuln.log",
    "logs/vuln_variant/qemu_readdirplus_fixed.log",
    "vuln_variant/fuse_readdirplus_lpe.c",
    "vuln_variant/fuse_readdirplus_lpe",
    "vuln_variant/fuse-readdirplus-vuln.ko",
    "vuln_variant/fuse-readdirplus-fixed.ko"
  ],
  "notes": "No bypass: READDIRPLUS variant reproduced on vulnerable module but fixed module rejected the oversized embedded dirent and left /etc/passwd unchanged."
}