Description
Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a large number of command-line arguments can exhaust stack space and propagate uninitialized stack memory into Python interpreter initialization, resulting in a reliable crash and undefined behavior.
Published: 2026-01-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Panda3D releases up to version 1.10.16 contain a flaw in the deploy‑stub executable where stack memory is allocated using alloca() based on the argc value supplied by the attacker. The lack of validation on this value allows an attacker to provide a very large number of command‑line arguments, causing the stack to be exhausted. This results in a predictable crash of the deploy‑stub and can propagate uninitialized stack memory into the Python interpreter initialization, leading to undefined behavior during the runtime of the application.

Affected Systems

The vulnerability is present in Panda3D across all supported platforms that ship the deploy‑stub component. It affects any deployment of Panda3D version 1.10.16 or earlier, regardless of operating system, since the affected binary is included in all builds of the distribution.

Risk and Exploitability

The set of weaknesses that enable this vulnerability align with CWE-457, CWE-789, and CWE-908, which describe reliance on dynamic stack allocation, heap or stack overflows, and lack of bounds checking. The CVSS base score of 6.9 indicates a medium impact severity, yet the EPSS score of less than 1% suggests that exploitation likelihood is currently very low. The vulnerability is not listed in the CISA KEV catalog, implying that no documented active exploitation has been observed. However, because the attack vector is local command‑line manipulation, an adversary controlling execution of the deploy‑stub can readily trigger the crash without needing network access or additional privileges. The consequence is a denial of service for the affected process, potentially leading to interruption of game or simulation deployments.

Generated by OpenCVE AI on April 16, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Panda3D to version 1.10.17 or later where the deploy‑stub has been patched to validate argument count before stack allocation
  • If an upgrade is not immediately possible, limit the number of arguments passed to deploy‑stub to a safe threshold below the stack size limit and monitor for crashes in the process logs
  • Configure the deployment environment to restrict the user’s ability to execute deploy‑stub with arbitrary arguments, such as by enforcing command‑line input validation or running the stub in a sandboxed context

Generated by OpenCVE AI on April 16, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Cmu
Cmu panda3d
Weaknesses CWE-908
CPEs cpe:2.3:a:cmu:panda3d:*:*:*:*:*:*:*:*
Vendors & Products Cmu
Cmu panda3d
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Panda3d
Panda3d panda3d
Vendors & Products Panda3d
Panda3d panda3d

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a large number of command-line arguments can exhaust stack space and propagate uninitialized stack memory into Python interpreter initialization, resulting in a reliable crash and undefined behavior.
Title Panda3D <= 1.10.16 Deploy-Stub Stack Exhaustion via Unbounded alloca()
Weaknesses CWE-457
CWE-789
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cmu Panda3d
Panda3d Panda3d
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:09.033Z

Reserved: 2026-01-06T16:47:17.183Z

Link: CVE-2026-22188

cve-icon Vulnrichment

Updated: 2026-01-07T21:23:10.082Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T21:16:02.747

Modified: 2026-01-12T18:00:28.637

Link: CVE-2026-22188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:30:10Z

Weaknesses