CVE-2025-54065

Published: Dec 3, 2025

Modified: Dec 3, 2025

PUBLISHED

CVSS v3.1

7.8

HIGH

Description

GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution.

Vendor	Product	Versions
ZDoom	gzdoom	affected `<= 4.14.2`

Weaknesses (CWE)

CWE-913

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/ZDoom/gzdoom/security/advisories/GHSA-prhc-chfw-32jg

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-54065

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References