{
  "variant_outcome": "alternate_trigger_confirmed",
  "is_bypass": false,
  "variant_triggered": true,
  "variant_summary": "Confirmed alternate trigger for CVE-2026-4480 via spoolss RPC StartDocPrinter(pDocName). The spoolss RPC path is a materially different entry point (DCERPC over SMB pipe \\pipe\\spoolss, opnum 17) with different input constraints (document_name not subject to SMB filename restrictions). RCE confirmed on vulnerable 4.22.9 (id output + marker file). Fix covers this path because it is at the sink (generic_job_submit), not the entry point. Blocked on fixed 4.22.10.",
  "validated_surface": "network_protocol",
  "validated_entrypoint_kind": "tcp_peer",
  "validated_entrypoint_detail": "spoolss RPC StartDocPrinter(pDocName) over SMB pipe \\pipe\\spoolss (TCP 445, guest/anonymous); MS-RPRN opnum 17",
  "vulnerable_version": {
    "version": "4.22.9",
    "commit_sha": "ff3dd691f38e23f9ea8d18376df1b24ea9b335b6",
    "rce_confirmed": true,
    "id_output_detected": true,
    "marker_file_created": true,
    "smbd_command_log": "Running the command `(echo PWN&&id&&touch spoolss_marker&&END) > /tmp/samba_printlog_vuln_spoolss 2>&1' gave 127"
  },
  "fixed_version": {
    "version": "4.22.10",
    "commit_sha": "0abfaceda097f447ac0284db9f639dabc5070595",
    "rce_blocked": true,
    "id_output_detected": false,
    "marker_file_created": false,
    "smbd_command_log": "Running the command `(echo 'PWN__id__touch spoolss_marker__END') > /tmp/samba_printlog_fixed_spoolss 2>&1' gave 0"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "blocking_mitigation": "replace_print_cmd_J() in generic_job_submit() masks all unsafe characters ($ ` \" ' ; % | & < > / \\ and control chars) to _ and wraps jobname in single quotes. This fix is at the sink, covering both SMB file open and spoolss RPC entry points.",
  "fix_coverage_assessment": "complete",
  "fix_gap_description": null,
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "end_to_end_target_reached": true,
  "inferred": false,
  "tested_candidates": [
    {
      "candidate": "spoolss RPC StartDocPrinter(pDocName)",
      "outcome": "alternate_trigger_confirmed",
      "details": "RCE on vulnerable 4.22.9, blocked on fixed 4.22.10. pDocName not subject to SMB filename restrictions."
    },
    {
      "candidate": "Other print_run_command callers (lprm, lppause, lpresume, lpq, queuepause, queueresume)",
      "outcome": "ruled_out",
      "details": "These callers pass only %j (numeric job ID), %p (printer name from config), or no substitutions. None are client-controlled injectable values."
    },
    {
      "candidate": "Other substitution variables (%s, %f, %z, %c, %p)",
      "outcome": "ruled_out",
      "details": "%s/%f are server-generated spool file paths, %z/%c are numeric, %p is from config. None are client-controlled."
    },
    {
      "candidate": "SMB1 SMBsplopen (reply_printopen)",
      "outcome": "ruled_out",
      "details": "Passes NULL to print_spool_open(), resulting in hardcoded docname 'Remote Downlevel Document' with no client-controlled component."
    }
  ]
}
