CVE-2026-22190
Modified Modified - Updated After Analysis
Uncontrolled Format String in Panda3D egg-mkfont Causes Memory Disclosure

Publication date: 2026-01-07

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22190
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
panda3d egg-mkfont to 1.10.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-134 The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22190 is an uncontrolled format string vulnerability in Panda3D's egg-mkfont utility (up to version 1.10.16). The vulnerability occurs because the -gp (glyph pattern) command-line option is used directly as the format string in a call to sprintf(), but only a single argument is supplied. If an attacker includes additional format specifiers in the -gp input, egg-mkfont reads unintended stack memory values and writes them into generated .egg and .png files. This leads to disclosure of stack-resident memory and pointer values. [1, 2]

Impact Analysis

An attacker who can invoke egg-mkfont with a crafted -gp option can read sensitive stack-resident memory values, including pointer-sized values and memory addresses. This information disclosure can weaken security mechanisms like Address Space Layout Randomization (ASLR), making it easier for attackers to exploit other vulnerabilities. The leaked memory contents are written into output files (.egg and .png), potentially exposing sensitive process memory. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the egg-mkfont utility with crafted inputs to the -gp (glyph pattern) option that include additional format specifiers such as '%p', '%x', or positional specifiers like '%n$p'. For example, running a command like `egg-mkfont -gp '%2$s%d'` can reveal if stack memory is being disclosed in the generated .egg or .png files. Observing unexpected memory content or pointer values in these output files indicates the presence of the vulnerability. [2]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable egg-mkfont utility with untrusted input for the -gp option. Restrict access to the egg-mkfont utility to trusted users only. If possible, update Panda3D to a version later than 1.10.16 where this vulnerability is fixed. Alternatively, apply patches or workarounds that sanitize or validate the -gp input before it is used as a format string in sprintf(). [1, 2]

Compliance Impact

The provided resources do not specify how CVE-2026-22190 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22190. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart