{
  "same_root_cause": true,
  "equivalence_scope": "service_hosted_candidate_only",
  "parent_root_cause": "PGImageExchQueue.ExchangeForm registers an unauthenticated .NET Remoting TcpChannel and publishes MarshalByRefObject CRemote as ObjectURI PGImageExchange, enabling MBRO/WebClient file read/write.",
  "candidate_root_cause": "PGImageExchangeQueueSvc.exe Service1.Start statically creates PGImageExchQueue.ExchangeForm, which would execute the same remoting registration if reached under a native service startup path.",
  "shared_sink": "System.Runtime.Remoting RemotingConfiguration.RegisterWellKnownServiceType(..., \"PGImageExchange\", ...) and ChannelServices.RegisterChannel(TcpChannel, false)",
  "shared_trust_boundary": "unauthenticated network client to product remoting endpoint",
  "materially_distinct": false,
  "reason_not_distinct": "The candidate does not introduce a new ObjectURI, protocol, deserialization sink, or attacker-controlled field. It is another host for the same ExchangeForm endpoint and therefore a patch-coverage path rather than a separate variant.",
  "confidence": "high_static_low_runtime",
  "runtime_confirmation": false,
  "evidence": {
    "parent_il": "bundle/vuln_variant/PGImageExchQueue.variant.il lines around 16408-16494",
    "service_il": "bundle/vuln_variant/PGImageExchangeQueueSvc.variant.il lines around 215-285",
    "logs": [
      "bundle/logs/vuln_variant/vulnerable_static_scan.log",
      "bundle/logs/vuln_variant/service_candidate_scan.log",
      "bundle/logs/vuln_variant/service_onstart_script.log"
    ]
  }
}
