CVE-2026-22190

Name of the Vulnerable Software and Affected Versions Panda3D versions up to and including 1.10.16

Description Panda3D’s egg-mkfont utility contains an uncontrolled format string issue. The -gp command-line option is directly used as the format string for the sprintf() function with a single argument. Providing additional format specifiers by an attacker may lead to the reading of unintended stack values and writing the formatted output into generated .egg and .png files, potentially disclosing stack-resident memory and pointer values.

Recommendations Versions prior to 1.10.16 are not affected. Update Panda3D to a version later than 1.10.16.