CVE-2026-22190
Unknown Unknown - Not Provided
Uncontrolled Format String in Panda3D egg-mkfont Causes Memory Disclosure

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: VulnCheck

Description
Panda3D versions up to and including 1.10.16 egg-mkfont contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-05-07
AI Q&A
2026-01-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22190
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
panda3d egg-mkfont to 1.10.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-134 The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-22190 is an uncontrolled format string vulnerability in Panda3D's egg-mkfont utility (up to version 1.10.16). The vulnerability occurs because the -gp (glyph pattern) command-line option is used directly as the format string in a call to sprintf(), but only a single argument is supplied. If an attacker includes additional format specifiers in the -gp input, egg-mkfont reads unintended stack memory values and writes them into generated .egg and .png files. This leads to disclosure of stack-resident memory and pointer values. [1, 2]


How can this vulnerability impact me? :

An attacker who can invoke egg-mkfont with a crafted -gp option can read sensitive stack-resident memory values, including pointer-sized values and memory addresses. This information disclosure can weaken security mechanisms like Address Space Layout Randomization (ASLR), making it easier for attackers to exploit other vulnerabilities. The leaked memory contents are written into output files (.egg and .png), potentially exposing sensitive process memory. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the egg-mkfont utility with crafted inputs to the -gp (glyph pattern) option that include additional format specifiers such as '%p', '%x', or positional specifiers like '%n$p'. For example, running a command like `egg-mkfont -gp '%2$s%d'` can reveal if stack memory is being disclosed in the generated .egg or .png files. Observing unexpected memory content or pointer values in these output files indicates the presence of the vulnerability. [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding the use of the vulnerable egg-mkfont utility with untrusted input for the -gp option. Restrict access to the egg-mkfont utility to trusted users only. If possible, update Panda3D to a version later than 1.10.16 where this vulnerability is fixed. Alternatively, apply patches or workarounds that sanitize or validate the -gp input before it is used as a format string in sprintf(). [1, 2]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided resources do not specify how CVE-2026-22190 affects compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart