Description
Panda3D versions up to and including 1.10.16 egg-mkfont contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.
Published: 2026-01-07
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

Panda3D versions up to and including 1.10.16 contain an uncontrolled format string vulnerability in the egg‑mkfont tool. The –gp (glyph pattern) command‑line option is fed directly as a format string to sprintf() with only a single supplied argument. An attacker can embed additional format specifiers, causing egg‑mkfont to read stack values and write the resulting output into generated .egg and .png files, thereby disclosing memory contents and pointer values.

Affected Systems

Affected by the vulnerability are installations of Panda3D version 1.10.16 or earlier. The issue is tied to the egg‑mkfont utility within the Panda3D distribution and can affect any platform where the distribution is installed, such as Windows, macOS, or Linux.

Risk and Exploitability

The CVSS score is 5.1, indicating moderate severity, and the EPSS score is less than 1 %, suggesting a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a local attacker who has the ability to execute the egg‑mkfont command. By crafting a malicious –gp argument, the attacker can read sensitive information from the stack and have it written into output files, exposing confidential data to anyone with access to those files. No remotely exploitable conditions are described in the advisory.

Generated by OpenCVE AI on April 16, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Panda3D to version 1.10.17 or later where the egg‑mkfont format string handling is fixed.
  • If patching is not immediately possible, restrict execution of egg‑mkfont to trusted users and ensure the tool is run only in secure environments.
  • Validate or sanitize the –gp option prior to passing it to formatting functions, for example by escaping format specifiers or rejecting non‑alphanumeric input.

Generated by OpenCVE AI on April 16, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Cmu
Cmu panda3d
CPEs cpe:2.3:a:cmu:panda3d:*:*:*:*:*:*:*:*
Vendors & Products Cmu
Cmu panda3d
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Panda3d
Panda3d panda3d
Vendors & Products Panda3d
Panda3d panda3d

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description Panda3D versions up to and including 1.10.16 egg-mkfont contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.
Title Panda3D <= 1.10.16 egg-mkfont Format String Information Disclosure
Weaknesses CWE-134
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cmu Panda3d
Panda3d Panda3d
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:11.739Z

Reserved: 2026-01-06T16:47:17.183Z

Link: CVE-2026-22190

cve-icon Vulnrichment

Updated: 2026-01-07T21:22:22.559Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T21:16:03.390

Modified: 2026-01-12T17:53:57.367

Link: CVE-2026-22190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:30:10Z

Weaknesses