{
  "claim_outcome": "confirmed_variant",
  "claim_block_reason": null,
  "repro_result": "confirmed",
  "validated_surface": "library_api",
  "evidence_scope": "realistic_harness",
  "claimed_impact_class": "memory_corruption",
  "observed_impact_class": "memory_corruption",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "API call sequence and cleanup order on easy handles linked by CURLOPT_STREAM_DEPENDS, in particular curl_easy_duphandle(parent) after setting the dependency",
  "trigger_path": "curl_easy_setopt(CURLOPT_STREAM_DEPENDS) -> curl_easy_duphandle(parent) -> curl_easy_cleanup(parent) -> curl_easy_cleanup(parent_clone)",
  "end_to_end_target_reached": true,
  "sanitizer_used": true,
  "crash_observed": true,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "bypass": false,
  "bypass_commit_tested": "3f00a2f6fa97f7721b65606954aac979dcb6caac",
  "bypass_result": "clean",
  "blocking_mitigation": "The upstream fix removes the HTTP/2 stream-dependency tree entirely (CURLOPT_STREAM_DEPENDS becomes a deprecated no-op), so the alternate trigger cannot reproduce on the fixed or latest releases.",
  "inferred": false,
  "notes": "Primary variant uses curl_easy_duphandle; a secondary variant resets/cleans up the parent before the child. Both trigger the same heap-use-after-free on the vulnerable commit but exit cleanly on the fixed and latest commits."
}
