A glance at the nmap one seems potentially high severity. It might be a nothing in practice, but it being around parser code means the chances of preparing something to jump around are pretty high.

There'd be a certain irony being able to reverse shell anyone doing an nmap scan. If i had infinite tokens i'd throw claude on writing an exploit and dig through the history who made it possible because - if we take a moment to wildly speculate and assume it can ACE - this is the kind of bug an intelligence agency would love to have: Add a few ipv6 packets that then edit the trace being observed if the observer uses nmap / get access to any researcher pc who uses nmap.