Description
Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.
Published: 2026-01-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stack buffer overflow potentially enabling code execution
Action: Immediate Patch
AI Analysis

Impact

A stack-based buffer overflow occurs in Panda3D’s egg‑mkfont utility when an attacker supplies an overly long glyph pattern to the -gp option. The utility formats this input into a fixed‑size buffer using an unbounded sprintf, corrupting adjacent memory and causing a deterministic crash. Depending on build configuration and the execution environment, this overflow may also be leveraged to execute arbitrary code.

Affected Systems

The flaw affects Panda3D versions up to and including 1.10.16. Any system running those releases and using the egg‑mkfont tool is vulnerable, regardless of the host platform or operating system.

Risk and Exploitability

The CVSS base score is 6.9, indicating moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker can provide a malicious glyph pattern to egg‑mkfont, which is typically a local or remote execution scenario where the tool is run with higher privileges or on behalf of a user carrying out game asset creation.

Generated by OpenCVE AI on April 16, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Panda3D to a version newer than 1.10.16 once an official fix is released.
  • When an upgrade is not possible, restrict the use of egg‑mkfont so that only trusted users can run it, and validate or limit the length of the -gp argument to prevent buffer overflow.
  • Run any instance of egg‑mkfont under the least privilege required and consider containerizing the process to contain potential memory corruption.

Generated by OpenCVE AI on April 16, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Cmu
Cmu panda3d
Weaknesses CWE-787
CPEs cpe:2.3:a:cmu:panda3d:*:*:*:*:*:*:*:*
Vendors & Products Cmu
Cmu panda3d
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Panda3d
Panda3d panda3d
Vendors & Products Panda3d
Panda3d panda3d

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.
Title Panda3D <= 1.10.16 egg-mkfont Stack Buffer Overflow
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cmu Panda3d
Panda3d Panda3d
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:10.932Z

Reserved: 2026-01-06T16:47:17.183Z

Link: CVE-2026-22189

cve-icon Vulnrichment

Updated: 2026-01-07T21:21:26.312Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T21:16:03.067

Modified: 2026-01-12T17:59:18.370

Link: CVE-2026-22189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:30:10Z

Weaknesses