A stock verdana.ttf, one directory entry changed. I loaded it through a public API on a real Windows build of Skia, and AddressSanitizer printed the sentence I was hoping for: a heap-buffer-overflow, a write of 243,300 bytes, zero bytes past the end of a 280-byte allocation. The length is mine. The bytes are mine. The stack runs straight from main down through the public font manager into the function that did it.
That is the whole finding, and it reproduces every time. What happened after I reported it is the part worth writing down, because it is not a story about a bug being wrong. It is a story about a bug being real and declined anyway - and about what that says about the word "reachable."
Reported to Google's issue tracker on 2026-06-23 (issue 527060475, not public). A Chromium security reviewer returned Won't Fix (Not Reproducible) on 2026-06-24. The bug itself is real: verified end to end under AddressSanitizer through a public API, with a one-hunk fix that closes it, and it remains unpatched in main. There is no CVE and no embargo. The crash was not disputed - what was declined was its severity under a web-only threat model.