CVE-2026-22188
MEDIUMCMU Panda3d < 1.10.16 - Use of Uninitialized Resource
Title source: ruleDescription
Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a large number of command-line arguments can exhaust stack space and propagate uninitialized stack memory into Python interpreter initialization, resulting in a reliable crash and undefined behavior.
References (4)
Scores
CVSS v3
5.5
EPSS
0.0002
EPSS Percentile
4.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-457
CWE-789
CWE-908
Status
published
Products (1)
cmu/panda3d
< 1.10.16
Published
Jan 07, 2026
Tracked Since
Feb 18, 2026