PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22190 Panda3D CVE debrief

A format string vulnerability exists in the egg-mkfont utility distributed with Panda3D, a 3D game engine developed by Carnegie Mellon University. The vulnerability affects versions up to and including 1.10.16. The -gp (glyph pattern) command-line option is passed directly to sprintf() as a format string with only a single argument supplied. An attacker who can control this input may inject additional format specifiers, causing the utility to read unintended stack values. The formatted output is written to generated .egg and .png files, resulting in disclosure of stack-resident memory contents including pointer values. This represents an information disclosure condition that could aid further exploitation. The vulnerability requires local access to execute the utility with attacker-controlled arguments, but does not require privileges or user interaction. The CVSS 4.0 vector indicates local attack vector with low attack complexity, no privileges required, and no user interaction, with low confidentiality impact to the vulnerable component.

Vendor
Panda3D
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-07
Original CVE updated
2026-05-26
Advisory published
2026-01-07
Advisory updated
2026-05-26

Who should care

Organizations using Panda3D for game development or 3D applications, particularly those with automated font generation pipelines or multi-user environments where egg-mkfont may process untrusted input. Security teams monitoring for format string vulnerabilities in native code utilities.

Technical summary

The egg-mkfont utility in Panda3D ≤1.10.16 passes the -gp (glyph pattern) argument directly to sprintf() as a format string. With only one argument supplied to the variadic function, attacker-controlled format specifiers cause out-of-bounds stack reads. The formatted output containing leaked memory is written to generated font files (.egg, .png), constituting an information disclosure vulnerability.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Panda3D to a version newer than 1.10.16 when available
  • Audit systems for egg-mkfont usage and restrict execution to trusted inputs
  • Review generated .egg and .png files for unexpected content that may indicate exploitation attempts
  • Implement input validation for any automated or scripted use of egg-mkfont -gp option
  • Monitor for anomalous process behavior when egg-mkfont executes with user-supplied glyph patterns

Evidence notes

The vulnerability was disclosed via Full Disclosure mailing list and documented by VulnCheck. NVD records confirm affected versions through 1.10.16. The CWE-134 classification (Use of Externally-Controlled Format String) is provided as secondary source data. CVSS 4.0 scoring indicates medium severity with local attack requirements.

Official resources

2026-01-07