{
  "variant_stage_outcome": "no_distinct_variant_confirmed",
  "confirmed": false,
  "is_bypass": false,
  "is_alternate_trigger": false,
  "claim_block_reason": "The only concrete alternate path found is PGImageExchangeQueueSvc.exe service startup creating the same PGImageExchQueue.ExchangeForm that registers the parent tcp://<host>:22222/PGImageExchange remoting endpoint. This is a patch-coverage concern, not a materially distinct entry point or sink. The service-hosted path was not runtime-confirmed in the Wine OnStart harness, and no public fixed PACS Scan build was available for patched-version bypass testing.",
  "validated_surface": "none_new_variant",
  "evidence_scope": "static_analysis_plus_runtime_attempt_plus_latest_probe",
  "end_to_end_target_reached": false,
  "runtime_backed": true,
  "runtime_result": "script_completed_exit_1_no_variant",
  "reproducer": "bundle/vuln_variant/reproduction_steps.sh",
  "reproducer_exit_code_semantics": {
    "exit_0": "distinct variant or fixed-version bypass reproduced",
    "exit_1": "no distinct variant/bypass found after checks"
  },
  "tested_candidates": [
    {
      "name": "service_hosted_pgimageexchange",
      "entrypoint": "PGImageExchangeQueueSvc.exe -> Service1.OnStart -> Service1.Start -> PGImageExchQueue.ExchangeForm",
      "same_root_cause": true,
      "distinct_variant": false,
      "static_result": "confirmed_same_endpoint_candidate",
      "runtime_result": "not_confirmed_under_wine_harness",
      "block_reason": "Same PGImageExchange remoting registration/sink as parent; runtime service harness did not listen on TCP/22222."
    },
    {
      "name": "sibling_image_exchange_binaries",
      "entrypoint": "Other EXE/DLL files in Pacsgear Image Exchange Service directory",
      "same_root_cause": false,
      "distinct_variant": false,
      "static_result": "no additional TcpChannel/RegisterWellKnownServiceType/ObjectURI registration found",
      "runtime_result": "not_applicable",
      "block_reason": "No separate remoting endpoint found in sibling files."
    },
    {
      "name": "newer_or_fixed_pacs_scan_package",
      "entrypoint": "PacsSCAN5.2.2/5.3/5.3.1/5.3.3 package probes",
      "same_root_cause": "unknown",
      "distinct_variant": false,
      "static_result": "5.2.2 returned 404; 5.3/5.3.1/5.3.3 packages identified but no CVE-specific fixed build or runtime bypass confirmed",
      "runtime_result": "not_confirmed",
      "block_reason": "No public fixed build identified; 5.3.3 packaging could not be fully non-interactively extracted to a comparable runtime target in this stage."
    }
  ],
  "observed_impact_class": "none_new_variant",
  "claimed_parent_impact_class": "code_execution",
  "exploitability_confidence": "not_confirmed_for_variant",
  "blocking_mitigation": "Patch/remove the central PGImageExchQueue.ExchangeForm remoting registration and regression-test both PGImageExchQueue.exe and PGImageExchangeQueueSvc.exe startup paths.",
  "inferred": false,
  "evidence": [
    "bundle/logs/vuln_variant/reproduction_steps.log",
    "bundle/logs/vuln_variant/vulnerable_static_scan.log",
    "bundle/logs/vuln_variant/service_candidate_scan.log",
    "bundle/logs/vuln_variant/service_onstart_script.log",
    "bundle/logs/vuln_variant/fixed_latest_check.log",
    "bundle/logs/vuln_variant/latest_version.txt"
  ]
}
