Reverse engineering the fix. For each vulnerability: the vulnerable code, the patched code, the diff, and a clear explanation of why the fix actually works.
Patch-diffing turns a vendor fix into a root-cause understanding. Each study takes the public vulnerable and patched releases of a project and walks the delta:
| Section | Question it answers |
|---|---|
| Root cause | What flawed assumption or missing check created the bug? |
| Vulnerable code | The exact pre-patch code path, annotated |
| The patch | The upstream commit / diff that fixed it |
| Why the fix works | How the change closes the primitive — and edge cases |
| Regression risk | What the fix might break; how upstream tested it |
studies/<project>-CVE-YYYY-NNNNN/
├── README.md # The analysis (sections above)
├── vulnerable/ # Minimal excerpt of the pre-patch code (with source ref)
├── patched/ # Post-patch code excerpt
├── diff/ # Annotated unified diff + upstream commit link
└── docs/ # Call-graph / data-flow diagrams
Code excerpts are minimal, attributed to their upstream source and license, and included strictly for analysis and education.
- Pin the last-vulnerable and first-patched tags from the upstream repo.
- Isolate the security-relevant hunk (ignore unrelated churn).
- Trace the data/control flow into the vulnerable primitive.
- Explain the fix and verify the primitive is genuinely closed.
- Cross-link the runnable reproduction in CVE-Labs-2025-2026.
⏳ Studies land alongside each CVE lab. See CHANGELOG.md.
Part of the diedromeo security portfolio.
MIT for the analysis and tooling. Third-party code excerpts remain under their original upstream licenses, as noted per study.