CVE-2026-22190
Published: 07 January 2026
Summary
CVE-2026-22190 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Cmu Panda3D. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Format string bug directly enables reading/disclosing arbitrary stack memory (pointers + sensitive values) from the local system into attacker-retrievable output files.
NVD Description
Panda3D versions up to and including 1.10.16 egg-mkfont contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional…
more
format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.
Deeper analysisAI
CVE-2026-22190 is an uncontrolled format string vulnerability (CWE-134) in the egg-mkfont tool of Panda3D, affecting versions up to and including 1.10.16. The vulnerability arises because the -gp (glyph pattern) command-line option is passed directly as the format string to sprintf() with only a single argument provided. An attacker can supply additional format specifiers via this option, causing egg-mkfont to read unintended values from the stack and incorporate the formatted output into the generated .egg and .png files, leading to disclosure of stack-resident memory and pointer values. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited remotely by any unauthenticated attacker with network access to a system running the affected egg-mkfont tool, requiring low complexity and no user interaction. Exploitation involves crafting a malicious -gp argument with format specifiers such as %p or %x, tricking a user or automated process into invoking egg-mkfont with the tainted input. Successful exploitation results in information disclosure, as the leaked stack data—including memory addresses and potentially sensitive values—is embedded in the output .egg and .png files, which could then be retrieved by the attacker.
Mitigation details and patches are documented in advisories available at https://seclists.org/fulldisclosure/2026/Jan/11, https://www.vulncheck.com/advisories/panda3d-egg-mkfont-format-string-information-disclosure, the Panda3D GitHub repository at https://github.com/panda3d/panda3d, and the official site at https://www.panda3d.org/. Security practitioners should review these sources for updated versions and apply patches promptly to vulnerable Panda3D installations.
Details
- CWE(s)