VYPR
High severity7.5OSV Advisory· Published Jan 7, 2026· Updated May 26, 2026

CVE-2026-22190

CVE-2026-22190

Description

The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Panda3d/Panda3dOSV2 versions
    v1.10.0, v1.10.1, v1.10.10, …+ 1 more
    • (no CPE)range: v1.10.0, v1.10.1, v1.10.10, …
    • (no CPE)range: <=1.10.16

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.