CVE-2026-22190
Published: 07 January 2026
Summary
CVE-2026-22190 is a medium-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Cmu Panda3D. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22190 is an uncontrolled format string vulnerability (CWE-134) in the egg-mkfont tool of Panda3D, affecting versions up to and including 1.10.16. The vulnerability arises because the -gp (glyph pattern) command-line option is passed directly as the format string to sprintf() with only a single argument provided. An attacker can supply additional format specifiers via this option, causing egg-mkfont to read unintended values from the stack and incorporate the formatted output into the generated .egg and .png files, leading to disclosure of stack-resident memory and pointer values. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited remotely by any unauthenticated attacker with network access to a system running the affected egg-mkfont tool, requiring low complexity and no user interaction. Exploitation involves crafting a malicious -gp argument with format specifiers such as %p or %x, tricking a user or automated process into invoking egg-mkfont with the tainted input. Successful exploitation results in information disclosure, as the leaked stack data—including memory addresses and potentially sensitive values—is embedded in the output .egg and .png files, which could then be retrieved by the attacker.
Mitigation details and patches are documented in advisories available at https://seclists.org/fulldisclosure/2026/Jan/11, https://www.vulncheck.com/advisories/panda3d-egg-mkfont-format-string-information-disclosure, the Panda3D GitHub repository at https://github.com/panda3d/panda3d, and the official site at https://www.panda3d.org/. Security practitioners should review these sources for updated versions and apply patches promptly to vulnerable Panda3D installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1163
Vulnerability details
The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an…
more
attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Format string bug directly enables reading/disclosing arbitrary stack memory (pointers + sensitive values) from the local system into attacker-retrievable output files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Rejects or sanitizes the untrusted -gp glyph pattern argument before it is used directly as a format string to sprintf().
Requires prompt installation of the vendor patch that removes the uncontrolled format-string call from egg-mkfont.
Verifies integrity of the Panda3D binaries and generated .egg/.png files to detect corruption or leakage artifacts from exploitation.