PatchSiren cyber security CVE debrief

CVE-2026-22189 Panda3D CVE debrief

A stack-based buffer overflow vulnerability exists in the egg-mkfont utility of Panda3D, a game engine and 3D rendering framework developed by Carnegie Mellon University. The vulnerability stems from an unbounded sprintf() call when processing user-supplied glyph patterns (-gp parameter), allowing an attacker to overflow a fixed-size stack buffer through an excessively long input string. This results in memory corruption and deterministic crashes, with potential for arbitrary code execution depending on build configuration and execution environment. The vulnerability affects Panda3D versions up to and including 1.10.16. The issue was disclosed publicly on January 7, 2026, with the CVE record subsequently modified on May 26, 2026. No known exploitation in ransomware campaigns has been reported.

Vendor: Panda3D
Product: Unknown
CVSS: MEDIUM 6.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-01-07
Original CVE updated: 2026-05-26
Advisory published: 2026-01-07
Advisory updated: 2026-05-26

Who should care

Organizations using Panda3D for game development, simulation, or visualization; CI/CD pipelines performing automated font asset processing; security teams monitoring for memory corruption vulnerabilities in multimedia toolchains; developers maintaining legacy Panda3D deployments.

Technical summary

The egg-mkfont utility in Panda3D ≤1.10.16 contains a stack-based buffer overflow (CWE-121/CWE-787) in glyph filename construction. The vulnerable code uses sprintf() without bounds checking to format user-controlled glyph pattern strings (-gp parameter) into a fixed-size stack buffer. An attacker supplying a pattern exceeding buffer capacity triggers memory corruption, causing deterministic crashes. Exploitation for code execution is environment-dependent, requiring specific build configurations lacking modern exploit mitigations. The vulnerability is locally exploitable with no privileges required, though the attack surface is limited to contexts where egg-mkfont processes untrusted input.

Defensive priority

medium

Recommended defensive actions

Upgrade Panda3D to a version newer than 1.10.16 when available, or apply vendor-provided patches
Audit systems for use of egg-mkfont utility, particularly in automated font processing pipelines
Implement input validation and length restrictions on glyph pattern parameters passed to egg-mkfont
Consider sandboxing or containerizing font processing workflows to limit blast radius of potential exploitation
Monitor for anomalous crashes in egg-mkfont processes as potential indicators of exploitation attempts
Review custom build configurations of Panda3D for security-hardening compiler flags (stack canaries, ASLR, NX bit)

Evidence notes

Vulnerability confirmed through NVD CPE criteria (cpe:2.3:a:cmu:panda3d:*:*:*:*:*:*:*:*) with versionEndIncluding 1.10.16. Multiple authoritative sources including VulnCheck advisory and Full Disclosure mailing list post. CVSS 4.0 vector indicates local attack vector with high availability impact. CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write) classifications applied.

Official resources

CVE-2026-22189 CVE record
CVE.org
CVE-2026-22189 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Product
Mitigation or vendor reference
[email protected] - Exploit, Mailing List, Third Party Advisory
Source reference
[email protected] - Product
Mitigation or vendor reference
[email protected] - Third Party Advisory

2026-01-07