{
  "verdict": "confirmed_distinct_alternate_trigger_no_fixed_bypass",
  "confirmed_distinct_variant_or_bypass": true,
  "distinct_variant_type": "alternate_entrypoint_message_type",
  "alternate_trigger_confirmed_on_vulnerable": true,
  "fixed_version_bypass_confirmed": false,
  "claim_outcome": "confirmed_alternate_trigger_not_bypass",
  "claim_block_reason": "The FUSE_READDIRPLUS alternate parser path reaches the same sink and reproduces on the vulnerable module, but the fixed module's sink-level reclen > PAGE_SIZE guard blocks the oversized embedded dirent before the cache memcpy.",
  "repro_result": "confirmed_on_vulnerable_blocked_on_fixed",
  "validated_surface": "local_only",
  "evidence_scope": "production_path",
  "claimed_impact_class": "privilege_escalation",
  "observed_impact_class": "privilege_escalation_on_vulnerable_alternate_trigger_only",
  "exploitability_confidence": "high_for_vulnerable_alternate_trigger",
  "attacker_controlled_input": "FUSE_READDIRPLUS reply containing a struct fuse_direntplus with embedded dirent.namelen=4095 and page-boundary overflow payload.",
  "trigger_path": "uid 1000 FUSE daemon -> FUSE_INIT advertises FUSE_DO_READDIRPLUS -> getdents64 -> FUSE_READDIRPLUS -> parse_dirplusfile -> fuse_emit -> fuse_add_dirent_to_cache -> vulnerable 4120-byte memcpy into 4096-byte page; fixed guard returns before memcpy.",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": true,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": "if (reclen > PAGE_SIZE) return; in fuse_add_dirent_to_cache()",
  "inferred": false,
  "runtime_evidence": {
    "script_executed_twice": true,
    "script_exit_code_meaning": "Exit 1 is expected because no fixed-version bypass was confirmed; both runs completed and collected vulnerable/fixed evidence.",
    "vulnerable_markers": [
      "received FUSE_READDIRPLUS",
      "PAGE_CACHE_CORRUPTION_CONFIRMED uid=1000 target=/etc/passwd",
      "VARIANT_AFTER=root::0:0:x:.",
      "VARIANT_RESULT_READDIRPLUS_LPE_CONFIRMED"
    ],
    "fixed_markers": [
      "received FUSE_READDIRPLUS",
      "VARIANT_AFTER=root:x:0:0:root:/root:/bin/sh",
      "VARIANT_RESULT_FIXED_REJECTED_READDIRPLUS_OVERSIZED_DIRENT"
    ],
    "logs": [
      "bundle/logs/vuln_variant/readdirplus_variant.log",
      "bundle/logs/vuln_variant/qemu_readdirplus_vuln.log",
      "bundle/logs/vuln_variant/qemu_readdirplus_fixed.log"
    ]
  }
}
