{"id":"CVE-2026-22189","details":"Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.","modified":"2026-04-10T05:45:06.887706Z","published":"2026-01-07T21:16:03.067Z","references":[{"type":"WEB","url":"https://www.panda3d.org/"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow"},{"type":"PACKAGE","url":"https://github.com/panda3d/panda3d"},{"type":"EVIDENCE","url":"https://seclists.org/fulldisclosure/2026/Jan/10"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/panda3d/panda3d","events":[{"introduced":"0"},{"last_affected":"e560eb8da370d86b096d6cb65eafd9ab40879b9a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.10.16"}]}}],"versions":["v1.10.0","v1.10.1","v1.10.10","v1.10.11","v1.10.12","v1.10.13","v1.10.14","v1.10.15","v1.10.16","v1.10.2","v1.10.3","v1.10.4","v1.10.4.1","v1.10.5","v1.10.6","v1.10.7","v1.10.8","v1.10.9","v1.8.0","v1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22189.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}