CVE-2026-22190

The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/panda3d/panda3d	Product
https://seclists.org/fulldisclosure/2026/Jan/11	Exploit Mailing List Third Party Advisory
https://www.panda3d.org/	Product
https://www.vulncheck.com/advisories/panda3d-egg-mkfont-format-string-information-disclosure	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cmu:panda3d:*:*:*:*:*:*:*:*

History

26 May 2026, 14:16

Type	Values Removed	Values Added
Summary		(es) Las versiones de Panda3D hasta la 1.10.16 inclusive egg-mkfont contienen una vulnerabilidad de cadena de formato incontrolada. La opción de línea de comandos -gp (patrón de glifo) se utiliza directamente como la cadena de formato para sprintf() con un único argumento proporcionado. Si un atacante proporciona especificadores de formato adicionales, egg-mkfont puede leer valores de pila no intencionados y escribir la salida formateada en archivos .egg y .png generados, lo que resulta en la divulgación de memoria residente en la pila y valores de puntero.
Summary	(en) Panda3D versions up to and including 1.10.16 egg-mkfont contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.	(en) The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.

12 Jan 2026, 17:53

Type	Values Removed	Values Added
First Time		Cmu Cmu panda3d
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:cmu:panda3d::::::::
References	~~() https://github.com/panda3d/panda3d -~~	() https://github.com/panda3d/panda3d - Product
References	~~() https://seclists.org/fulldisclosure/2026/Jan/11 -~~	() https://seclists.org/fulldisclosure/2026/Jan/11 - Exploit, Mailing List, Third Party Advisory
References	~~() https://www.panda3d.org/ -~~	() https://www.panda3d.org/ - Product
References	~~() https://www.vulncheck.com/advisories/panda3d-egg-mkfont-format-string-information-disclosure -~~	() https://www.vulncheck.com/advisories/panda3d-egg-mkfont-format-string-information-disclosure - Third Party Advisory

07 Jan 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-07 21:16

Updated : 2026-06-17 10:19

NVD link : CVE-2026-22190

Mitre link : CVE-2026-22190

CVE.ORG link : CVE-2026-22190

JSON object : View

Products Affected

cmu

panda3d

CWE

CWE-134

Use of Externally-Controlled Format String

7.5 /10