CVE-2026-22189

9.8 CRITICAL

The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based buffer overflow vulnerability due to use of...

Published: 2026-01-07 · Last updated: 2026-05-26

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121, CWE-787

Affected products

Vendor	Product
cmu	panda3d

Description

The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-22189
[Other]https://github.com/panda3d/panda3d
[Exploit reference]https://seclists.org/fulldisclosure/2026/Jan/10
[Other]https://www.panda3d.org/
[Other]https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow

Related CVEs

Same vendor

CVE-2026-35467 — The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for ex... (7.5 HIGH)
CVE-2026-35466 — XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services (6.1 MEDIUM)
CVE-2026-22190 — The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability (7.5 HIGH)
CVE-2026-22188 — The deploy-stub component in Panda3D versions up to and including 1.10.16 contains a denial of service vulnerability due to unbounded sta... (5.5 MEDIUM)

Same CWE

CVE-2026-6676 — Heap buffer out-of-bounds write vulnerability in Avira Antivirus engine when scanning a malformed POSIX tar archive may allow Local Execu... (7.8 HIGH)
CVE-2025-14098 — Heap buffer out-of-bounds write vulnerability due to integer overflow in Avira Antivirus engine when scanning a malformed MS-DOS executab... (7.8 HIGH)
CVE-2026-41157 — A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger an out-of-bound write in the GPU ...
CVE-2026-34195 — Software installed and run as a non-privileged user may conduct intentional GPU sparse memory API calls to cause out of bounds write in t...
CVE-2025-7019 — Stack overflow vulnerability in Avast Antivirus when scanning a malformed Office Open XML file may allow Denial-of-Service of the antivir... (5.5 MEDIUM)