Same thing that's explained by <a href="https://crypto.stackexchange.com/a/48586" rel="nofollow">https://crypto.stackexchange.com/a/48586</a> ?<p>TLDR: It's easy to find fixed points of hashes like SHA-256.
How much of a concern is this? Do we now need to use SHA512 for everything, or is this more of an academic vulnerability that we won't see in the wild?
It's unfortunate that proof.py doesn't give an example of a message block that leads from h0 to the q._h constant.<p>I.e. Free-start collisions don't let you create two PDFs with the same sha256 hash.