{
  "root_cause_equivalence": "high",
  "analysis": "The original CVE-2026-54466 and this variant share the same message-corruption sink: stage 2 of Draft75.parse emits Buffer.from(this._buffer) as a message when 0xFF is encountered, even when the parser is in skip mode (binary frame payload consumption). The stale _buffer content from a prior text frame is emitted instead of the intended message, and the intended message (sentinel) is consumed/lost. The original CVE triggers this by using an oversized _length (> _maxLength) that causes the parser to enter skip mode with a huge skip count, consuming the sentinel. The variant triggers the same sink by using a valid _length (within _maxLength) that is >= the sentinel frame's wire size, so the sentinel is consumed in skip mode and its 0xFF terminator triggers the stale buffer emission. Both share: (1) the same sink (stage 2 0xFF check + stale _buffer), (2) the same entry point (Server.parse -> Draft75.parse), (3) the same trust boundary (untrusted network peer -> server-side parser), (4) the same impact (message corruption/loss). The 0.7.5 fix only addresses the oversized-_length vector; the valid-_length vector remains unfixed.",
  "shared_sink": "Draft75.parse case 2: if (octet === 0xFF) { emit Buffer.from(this._buffer); this._stage = 0; }",
  "shared_root_cause_bugs": [
    "_parseLeadingByte does not reset this._buffer when high bit is set (binary frame path)",
    "Stage 2 treats 0xFF as frame terminator unconditionally, before skip-mode/text-mode branching"
  ],
  "original_trigger": "Oversized length header: 0x80 0xFF 0xFF 0xFF 0x7F -> _length=268435455 > _maxLength -> skip mode with huge _length",
  "variant_trigger": "Valid length header: 0x80 0x1E -> _length=30 <= _maxLength -> skip mode with valid _length >= sentinel wire size",
  "fix_addresses_original": true,
  "fix_addresses_variant": false,
  "same_trust_boundary": true,
  "same_entry_point": true,
  "same_impact_class": true
}
