Arbitrary Code Execution Vulnerability in GZDoom Open Source Engine
CVE-2025-54065
7.8HIGH
What is CVE-2025-54065?
GZDoom, a popular open-source port for Doom engine games, has a vulnerability in its ZScript actor state handling that allows for arbitrary code execution. Versions 4.14.2 and earlier permit scripts to manipulate memory improperly by reading from arbitrary addresses and writing to JIT-compiled code sections. This can be exploited by modifying function pointers and state transitions within crafted FState and VMFunction structures. As a result, malicious scripts may execute attacker-controlled bytecode, posing significant security risks to users.
Affected Version(s)
gzdoom <= 4.14.2
