Unrated severityOSV Advisory· Published Jan 7, 2026· Updated Mar 5, 2026
Panda3D <= 1.10.16 egg-mkfont Format String Information Disclosure
CVE-2026-22190
Description
Panda3D versions up to and including 1.10.16 egg-mkfont contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- seclists.org/fulldisclosure/2026/Jan/11mitretechnical-descriptionexploit
- www.vulncheck.com/advisories/panda3d-egg-mkfont-format-string-information-disclosuremitrethird-party-advisory
- www.panda3d.orgmitreproduct
News mentions
0No linked articles in our index yet.