CVE-2025-54065

Name
CVE-2025-54065
Description
GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/ZDoom/gzdoom/security/advisories/GHSA-prhc-chfw-32jg

Match rules

CPE URI Source package Min version Max version
gzdoom >= 0 <= 4.14.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
gzdoom edge-community 4.14.2-r1 Antoni Aloy <aaloytorrens@gmail.com> possibly vulnerable
gzdoom edge-community 4.14.2-r0 Antoni Aloy <aaloytorrens@gmail.com> possibly vulnerable
gzdoom edge-community 4.11.3-r1 Antoni Aloy <aaloytorrens@gmail.com> possibly vulnerable
gzdoom edge-community 4.11.3-r0 Antoni Aloy <aaloytorrens@gmail.com> possibly vulnerable
gzdoom 3.23-community 4.14.2-r1 Antoni Aloy <aaloytorrens@gmail.com> possibly vulnerable
gzdoom 3.22-community 4.11.3-r0 Antoni Aloy <aaloytorrens@gmail.com> possibly vulnerable