CVE-2026-22189

CriticalPublic PoC

Published: 07 January 2026

Published

07 January 2026

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack…

buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and bounds checking of user-supplied glyph pattern (-gp) input to prevent stack buffer overflow from unbounded sprintf() usage.

SI-16 Memory Protection good match

prevent

Deploys memory protections such as stack canaries, ASLR, and non-executable stacks to mitigate exploitation of the stack-based buffer overflow leading to code execution.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the known buffer overflow flaw in Panda3D egg-mkfont through patching as available in the GitHub repository.

Security SummaryAI

CVE-2026-22189 is a stack-based buffer overflow vulnerability in the egg-mkfont tool of Panda3D versions up to and including 1.10.16. The flaw stems from an unbounded sprintf() call that formats a user-supplied glyph pattern specified via the -gp option into a fixed-size stack buffer without length validation, allowing attacker-controlled input to overflow the buffer.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying an excessively long glyph pattern string, the attacker triggers memory corruption and a deterministic crash. Depending on the build configuration and execution environment, the overflow may enable arbitrary code execution.

Mitigation details are available in related advisories, including those published on VulnCheck at https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow and Full Disclosure at https://seclists.org/fulldisclosure/2026/Jan/10. Additional information and potential patches can be found on the Panda3D GitHub repository at https://github.com/panda3d/panda3d and official website at https://www.panda3d.org/.

Details

CWE(s): CWE-121 CWE-787

Affected Products

cmu

panda3d

≤ 1.10.16

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remotely exploitable stack-based buffer overflow (AV:N/AC:L/PR:N/UI:N) in a network-accessible tool, directly enabling exploitation of a public-facing application for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/panda3d/panda3d
Product · disclosure@vulncheck.com
https://seclists.org/fulldisclosure/2026/Jan/10
Exploit, Mailing List, Third Party Advisory · disclosure@vulncheck.com
https://www.panda3d.org/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow
Third Party Advisory · disclosure@vulncheck.com