CVE-2026-22190

7.5 HIGH

The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability

Published: 2026-01-07 · Last updated: 2026-05-26

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-134

Affected products

Vendor	Product
cmu	panda3d

Description

The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-22190
[Other]https://github.com/panda3d/panda3d
[Exploit reference]https://seclists.org/fulldisclosure/2026/Jan/11
[Other]https://www.panda3d.org/
[Other]https://www.vulncheck.com/advisories/panda3d-egg-mkfont-format-string-information-disclosure

Related CVEs

Same vendor

CVE-2026-35467 — The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for ex... (7.5 HIGH)
CVE-2026-35466 — XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services (6.1 MEDIUM)
CVE-2026-22189 — The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based buffer overflow vulnerability due to use of... (9.8 CRITICAL)
CVE-2026-22188 — The deploy-stub component in Panda3D versions up to and including 1.10.16 contains a denial of service vulnerability due to unbounded sta... (5.5 MEDIUM)

Same CWE

CVE-2026-12174 — A security vulnerability has been detected in D-Link DCS-935L 1.10.01 (8.8 HIGH)
CVE-2026-6250 — An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input
CVE-2026-6242 — An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of external...
CVE-2026-6241 — An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improper...
CVE-2026-50211 — Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privi... (9.8 CRITICAL)