cvedb.io
CVE-2026-22190
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-01-07T21:16:03.390 · Last modified 2026-06-17T10:19:30.843

Summary

The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values.

Affected products

cmu — panda3d

Does this affect you?

Add your gear to cvedb and we'll alert you only when cmu ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.