CVE-2026-22189
Stack-Based Buffer Overflow in Panda3D egg-mkfont Allows Code Execution
Publication date: 2026-01-07
Last updated on: 2026-05-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| panda3d | egg_mkfont | to 1.10.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22189 is a stack-based buffer overflow vulnerability in the Panda3D egg-mkfont utility (up to version 1.10.16). It occurs because the program uses an unsafe, unbounded sprintf() call to format glyph filenames using a user-supplied glyph pattern string (-gp option) into a fixed-size stack buffer without validating the input length. If an attacker supplies an excessively long glyph pattern string, it can overflow the buffer, causing memory corruption and a deterministic crash. Depending on the environment and build configuration, this overflow may also be exploited to execute arbitrary code. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to denial of service (DoS) by causing the egg-mkfont process to crash reliably when given crafted input. Additionally, it can cause memory corruption by overwriting adjacent stack memory beyond the buffer. In some cases, depending on the build and environment, it may allow an attacker to execute arbitrary code, which could compromise the affected system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the stack-based buffer overflow using a crafted input to the egg-mkfont utility. A suggested command to trigger the vulnerability is: ./egg-mkfont -gp "$(python3 - << 'EOF' print("A" * 3000 + "%d") EOF )" /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf out.egg This command supplies an excessively long glyph pattern string to the -gp option, causing a stack buffer overflow and a deterministic crash if the system is vulnerable. Monitoring for crashes or AddressSanitizer reports indicating stack-buffer-overflow errors can confirm the presence of the vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable egg-mkfont utility version 1.10.16 or earlier with untrusted input, especially the -gp option. If possible, update Panda3D to a version later than 1.10.16 where this vulnerability is fixed. Alternatively, do not supply excessively long glyph pattern strings to the -gp option to prevent triggering the buffer overflow. Applying input validation or patching the code to replace unsafe sprintf() calls with bounded functions like snprintf() is recommended for a permanent fix. [1, 2]