CVE-2026-22189

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-22189
The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/panda3d/panda3d Product
https://seclists.org/fulldisclosure/2026/Jan/10 Exploit Mailing List Third Party Advisory
https://www.panda3d.org/ Product
https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:cmu:panda3d:*:*:*:*:*:*:*:*
History

26 May 2026, 14:16

Type Values Removed Values Added
Summary
  • (es) Las versiones de Panda3D hasta la 1.10.16 inclusive, egg-mkfont contiene una vulnerabilidad de desbordamiento de búfer basado en pila debido al uso de una llamada sprintf() sin límites con entrada controlada por el atacante. Al construir nombres de archivo de glifos, egg-mkfont formatea un patrón de glifo proporcionado por el usuario (-gp) en un búfer de pila de tamaño fijo sin validación de longitud. Suministrar una cadena de patrón de glifo excesivamente larga puede desbordar el búfer de pila, lo que resulta en corrupción de memoria y un fallo determinista. Dependiendo de la configuración de compilación y el entorno de ejecución, el desbordamiento también puede ser explotable para ejecución de código arbitrario.
Summary (en) Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution. (en) The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.

12 Jan 2026, 17:59

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:cmu:panda3d:*:*:*:*:*:*:*:*
CWE CWE-787
First Time Cmu
Cmu panda3d
References () https://github.com/panda3d/panda3d - () https://github.com/panda3d/panda3d - Product
References () https://seclists.org/fulldisclosure/2026/Jan/10 - () https://seclists.org/fulldisclosure/2026/Jan/10 - Exploit, Mailing List, Third Party Advisory
References () https://www.panda3d.org/ - () https://www.panda3d.org/ - Product
References () https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow - () https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow - Third Party Advisory

07 Jan 2026, 21:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-01-07 21:16

Updated : 2026-05-26 14:16

NVD link : CVE-2026-22189

Mitre link : CVE-2026-22189

CVE.ORG link : CVE-2026-22189

JSON object : View

Products Affected

cmu

  • panda3d
CWE
CWE-121

Stack-based Buffer Overflow

CWE-787

Out-of-bounds Write