{
  "root_cause_equivalence": "high",
  "analysis": "The spoolss RPC StartDocPrinter variant reaches the exact same vulnerable sink as the original CVE-2026-4480 repro. Both paths converge at generic_job_submit() in source3/printing/print_generic.c, which substitutes the client-controlled job name into the 'print command' via %J and passes the result to smbrun_no_sanitize() -> execl('/bin/sh', 'sh', '-c', cmd, NULL) without proper shell escaping.",
  "original_path": {
    "entry_point": "SMB file open on printable share (SMB2 Create or SMB1 open)",
    "input_source": "Client-supplied filename in SMB create/open request",
    "input_restrictions": "Subject to SMB filename character restrictions (no / \\ : * ? \" < > |)",
    "convergence_point": "print_spool_open(fsp, filename) -> print_job_start(docname) -> print_job_end() -> generic_job_submit()",
    "key_code": "smbd/open.c:3616 print_spool_open(fsp, smb_fname->base_name, req->vuid)"
  },
  "variant_path": {
    "entry_point": "spoolss RPC StartDocPrinter (MS-RPRN opnum 17) over \\pipe\\spoolss",
    "input_source": "Client-supplied pDocName field in DOC_INFO_1 structure",
    "input_restrictions": "NOT subject to SMB filename restrictions — any UTF-16 character allowed",
    "convergence_point": "_spoolss_StartDocPrinter() -> print_job_start(info_1->document_name) -> print_job_end() -> generic_job_submit()",
    "key_code": "srv_spoolss_nt.c:6035 print_job_start(session_info, ..., info_1->document_name, ...)"
  },
  "shared_sink": {
    "file": "source3/printing/print_generic.c",
    "function": "generic_job_submit",
    "line": 261,
    "vulnerable_code": "print_run_command(snum, ..., lp_print_command(snum), NULL, \"%s\", p, \"%J\", jobname, ...)",
    "execution": "print_run_command -> talloc_string_sub(%J, jobname) -> smbrun_no_sanitize -> execl('/bin/sh', 'sh', '-c', cmd, NULL)",
    "sanitization_gap": "talloc_string_sub2() with remove_unsafe_characters=true only masks $ ` \" ' ; % \\r \\n — misses & | < > ( ) # etc."
  },
  "fix_coverage": {
    "fix_commit": "b80131fcf582ecc8e8c1b97e6051bb324bb8bef8",
    "fix_location": "generic_job_submit() — the SINK, not any specific entry point",
    "fix_mechanism": "replace_print_cmd_J() masks all unsafe characters ($ ` \" ' ; % | & < > / \\ + control chars) to _ and wraps %J substitution in single quotes",
    "covers_original_path": true,
    "covers_variant_path": true,
    "reason": "The fix is at the sink where both paths converge. By pre-substituting %J with a masked, single-quoted value before print_run_command(), the fix covers ALL entry points that reach generic_job_submit()."
  },
  "same_root_cause": true,
  "same_sink": true,
  "same_trust_boundary": true,
  "same_impact_class": true,
  "impact_class": "code_execution"
}
