Unrated severityOSV Advisory· Published Jan 7, 2026· Updated Mar 5, 2026
Panda3D <= 1.10.16 Deploy-Stub Stack Exhaustion via Unbounded alloca()
CVE-2026-22188
Description
Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a large number of command-line arguments can exhaust stack space and propagate uninitialized stack memory into Python interpreter initialization, resulting in a reliable crash and undefined behavior.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- seclists.org/fulldisclosure/2026/Jan/9mitretechnical-descriptionexploit
- www.vulncheck.com/advisories/panda3d-deploy-stub-stack-exhaustion-via-unbounded-allocamitrethird-party-advisory
- www.panda3d.orgmitreproduct
News mentions
0No linked articles in our index yet.