CVE-2026-22189
Published: 07 January 2026
Summary
CVE-2026-22189 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Cmu Panda3D. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and bounds checking of user-supplied glyph pattern (-gp) input to prevent stack buffer overflow from unbounded sprintf() usage.
Deploys memory protections such as stack canaries, ASLR, and non-executable stacks to mitigate exploitation of the stack-based buffer overflow leading to code execution.
Mandates timely remediation of the known buffer overflow flaw in Panda3D egg-mkfont through patching as available in the GitHub repository.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable stack-based buffer overflow (AV:N/AC:L/PR:N/UI:N) in a network-accessible tool, directly enabling exploitation of a public-facing application for arbitrary code execution.
NVD Description
Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack…
more
buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.
Deeper analysisAI
CVE-2026-22189 is a stack-based buffer overflow vulnerability in the egg-mkfont tool of Panda3D versions up to and including 1.10.16. The flaw stems from an unbounded sprintf() call that formats a user-supplied glyph pattern specified via the -gp option into a fixed-size stack buffer without length validation, allowing attacker-controlled input to overflow the buffer.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying an excessively long glyph pattern string, the attacker triggers memory corruption and a deterministic crash. Depending on the build configuration and execution environment, the overflow may enable arbitrary code execution.
Mitigation details are available in related advisories, including those published on VulnCheck at https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow and Full Disclosure at https://seclists.org/fulldisclosure/2026/Jan/10. Additional information and potential patches can be found on the Panda3D GitHub repository at https://github.com/panda3d/panda3d and official website at https://www.panda3d.org/.
Details
- CWE(s)