CVE-2026-22190 – This CVE describes an uncontrolled format strin... (How to Fix)

Q: What is the severity of CVE-2026-22190?

CVE-2026-22190 has a CVSS score of 7.5 (HIGH). This CVE describes an uncontrolled format string vulnerability in Panda3D's egg-mkfont tool. Attackers can exploit the -gp command-line option to read stack memory and disclose sensitive information like pointer values, which could aid further attacks. Users of Panda3D versions up to 1.10.16 who process font files with egg-mkfont are affected.

📋 TL;DR

This CVE describes an uncontrolled format string vulnerability in Panda3D's egg-mkfont tool. Attackers can exploit the -gp command-line option to read stack memory and disclose sensitive information like pointer values, which could aid further attacks. Users of Panda3D versions up to 1.10.16 who process font files with egg-mkfont are affected.

💻 Affected Systems

Products:

Panda3D

Versions: Up to and including 1.10.16

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the egg-mkfont tool when processing font files with the -gp option. Standard Panda3D runtime may not be directly vulnerable unless it calls egg-mkfont with untrusted input.

📦 What is this software?

Panda3d by Cmu

View all CVEs affecting Panda3d →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of stack memory including pointer addresses, environment variables, and potentially sensitive data that could enable ASLR bypass or facilitate further exploitation.

🟠

Likely Case

Disclosure of stack-resident memory contents and pointer values in generated .egg and .png files, potentially revealing system information useful for attackers.

🟢

If Mitigated

Limited information disclosure with no direct code execution, though leaked pointers could assist in developing more sophisticated attacks.

🌐 Internet-Facing: MEDIUM - egg-mkfont is typically used during development/build processes rather than exposed directly to internet, but web services processing user-supplied font files could be vulnerable.

🏢 Internal Only: MEDIUM - Internal build systems or tools using egg-mkfont with untrusted input could leak sensitive information to attackers with internal access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires control of the -gp command-line argument to egg-mkfont. Public disclosure includes proof-of-concept demonstrating information disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.17 or later

Vendor Advisory: https://www.panda3d.org/

Restart Required: No

Instructions:

1. Check current Panda3D version. 2. Update to version 1.10.17 or later. 3. Rebuild any applications using Panda3D. 4. Regenerate any .egg font files created with vulnerable versions.

🔧 Temporary Workarounds

Input Validation for -gp Option

all

Validate or sanitize the -gp argument before passing to egg-mkfont to prevent format string specifiers.

# Example: Validate -gp contains only alphanumeric characters
# Before calling egg-mkfont, ensure $GLYPH_PATTERN matches ^[a-zA-Z0-9._-]+$

Avoid Untrusted Input

all

Do not use egg-mkfont with user-supplied or untrusted -gp arguments.

# Only use hardcoded or trusted glyph patterns
# egg-mkfont -gp "fixed_pattern" input.ttf output.egg

🧯 If You Can't Patch

Isolate egg-mkfont usage to trusted environments with no untrusted input
Monitor generated .egg and .png files for unexpected content or format string artifacts

🔍 How to Verify

Check if Vulnerable:

Check if Panda3D version is ≤1.10.16 and if egg-mkfont is used with the -gp option, especially with external input.

Check Version:

panda3d --version  # or check package manager for installed version

Verify Fix Applied:

Verify Panda3D version is ≥1.10.17 and test egg-mkfont with malicious -gp input to confirm no information disclosure.

📡 Detection & Monitoring

Log Indicators:

Unusual egg-mkfont process executions with complex -gp arguments
Generated .egg/.png files containing format string artifacts or unexpected data

Network Indicators:

N/A - Local tool exploitation

SIEM Query:

Process execution where command contains 'egg-mkfont' and argument contains '%' characters in -gp parameter

📊 Metadata

CVE ID: CVE-2026-22190

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-134

EPSS Score: 0.04% exploit probability (10.3th percentile)

Published: January 7, 2026

Last Updated: January 12, 2026

🔗 References

https://github.com/panda3d/panda3d Product
https://seclists.org/fulldisclosure/2026/Jan/11 Exploit,Mailing List,Third Party Advisory
https://www.panda3d.org/ Product
https://www.vulncheck.com/advisories/panda3d-egg-mkfont-format-string-information-disclosure Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22190, you might also want to check these: