CVE-2026-22189
Modified Modified - Updated After Analysis
Stack-Based Buffer Overflow in Panda3D egg-mkfont Allows Code Execution

Publication date: 2026-01-07

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22189
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
panda3d egg_mkfont to 1.10.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22189 is a stack-based buffer overflow vulnerability in the Panda3D egg-mkfont utility (up to version 1.10.16). It occurs because the program uses an unsafe, unbounded sprintf() call to format glyph filenames using a user-supplied glyph pattern string (-gp option) into a fixed-size stack buffer without validating the input length. If an attacker supplies an excessively long glyph pattern string, it can overflow the buffer, causing memory corruption and a deterministic crash. Depending on the environment and build configuration, this overflow may also be exploited to execute arbitrary code. [1, 2]

Impact Analysis

This vulnerability can lead to denial of service (DoS) by causing the egg-mkfont process to crash reliably when given crafted input. Additionally, it can cause memory corruption by overwriting adjacent stack memory beyond the buffer. In some cases, depending on the build and environment, it may allow an attacker to execute arbitrary code, which could compromise the affected system. [1, 2]

Detection Guidance

This vulnerability can be detected by attempting to reproduce the stack-based buffer overflow using a crafted input to the egg-mkfont utility. A suggested command to trigger the vulnerability is: ./egg-mkfont -gp "$(python3 - << 'EOF' print("A" * 3000 + "%d") EOF )" /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf out.egg This command supplies an excessively long glyph pattern string to the -gp option, causing a stack buffer overflow and a deterministic crash if the system is vulnerable. Monitoring for crashes or AddressSanitizer reports indicating stack-buffer-overflow errors can confirm the presence of the vulnerability. [2]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable egg-mkfont utility version 1.10.16 or earlier with untrusted input, especially the -gp option. If possible, update Panda3D to a version later than 1.10.16 where this vulnerability is fixed. Alternatively, do not supply excessively long glyph pattern strings to the -gp option to prevent triggering the buffer overflow. Applying input validation or patching the code to replace unsafe sprintf() calls with bounded functions like snprintf() is recommended for a permanent fix. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart