Cyber Resilience

CVE-2026-22189

MediumPublic PoC

Published: 07 January 2026

Published
07 January 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 34.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22189 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Cmu Panda3D. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-22189 is a stack-based buffer overflow vulnerability in the egg-mkfont tool of Panda3D versions up to and including 1.10.16. The flaw stems from an unbounded sprintf() call that formats a user-supplied glyph pattern specified via the -gp option into a fixed-size stack buffer without length validation, allowing attacker-controlled input to overflow the buffer.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying an excessively long glyph pattern string, the attacker triggers memory corruption and a deterministic crash. Depending on the build configuration and execution environment, the overflow may enable arbitrary code execution.

Mitigation details are available in related advisories, including those published on VulnCheck at https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow and Full Disclosure at https://seclists.org/fulldisclosure/2026/Jan/10. Additional information and potential patches can be found on the Panda3D GitHub repository at https://github.com/panda3d/panda3d and official website at https://www.panda3d.org/.

EU & UK References

Vulnerability details

The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into…

more

a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remotely exploitable stack-based buffer overflow (AV:N/AC:L/PR:N/UI:N) in a network-accessible tool, directly enabling exploitation of a public-facing application for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22190Same product: Cmu Panda3D
CVE-2025-2263Shared CWE-121, CWE-787
CVE-2025-34468Shared CWE-121, CWE-787
CVE-2025-70237Shared CWE-121, CWE-787
CVE-2025-54820Shared CWE-121, CWE-787
CVE-2025-70234Shared CWE-121, CWE-787
CVE-2025-0282Shared CWE-121, CWE-787
CVE-2025-70245Shared CWE-121, CWE-787
CVE-2025-70239Shared CWE-121, CWE-787
CVE-2023-54334Shared CWE-121, CWE-787

Affected Assets

cmu
panda3d
≤ 1.10.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of the -gp glyph pattern length before the unbounded sprintf() writes into the fixed stack buffer.

prevent

Applies memory-protection mechanisms (e.g., stack canaries, ASLR, NX) that block reliable exploitation of the resulting stack corruption.

prevent

Requires prompt application of the Panda3D patch that replaces the unsafe sprintf() call with a bounded equivalent.

References