{
  "entrypoint_kind": "dns_query",
  "entrypoint_detail": "public ares_getaddrinfo(AF_INET) call in real c-ares over a real localhost TCP DNS socket to a malicious peer; the peer sends FORMERR without OPT, a duplicate same-qid NXDOMAIN, observes the follow-on search-domain query, then TCP resets the connection. A public ares_library_init_mem allocator hook deterministically reclaims the freed host_query with a forged callback/arg pair to test code-execution exploitability.",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "real c-ares v1.34.6 vulnerable libcares.a and v1.34.7 fixed libcares.a",
    "non-sanitized gcc production-mode harness (-O0 for deterministic instrumentation, no ASan/UBSan)",
    "public ares_getaddrinfo() API",
    "public ares_library_init_mem() allocator hooks used for deterministic heap reclaim",
    "localhost TCP DNS malicious peer implemented with pthread/socket/select"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/rce_reclaim_vuln_attempt1.log",
    "logs/rce_reclaim_vuln_attempt2.log",
    "logs/rce_reclaim_fixed_attempt1.log",
    "logs/rce_reclaim_fixed_attempt2.log",
    "repro/rce_reclaim_harness.c",
    "repro/runtime_manifest.json",
    "repro/validation_verdict.json"
  ],
  "notes": "rce_marker_fired=1 rce_marker_count=4 fixed_marker=0 fixed_marker_count=0 vuln_boundary=1 fixed_boundary=1 controlled_reclaim=1 vuln_runs_ok=1 fixed_runs_ok=1 vulnerable_sha=3ac47ee46edd8ea40370222f91613fc16c434853 fixed_sha=d63b7de3a3568d14ab1351374b205365aed51cca"
}