CVE-2025-54065 HIGH

CVE-2025-54065: GZDoom engine allows arbitrary code execution via ZScript actor states

Vendor Zdoom
Product gzdoom
Weakness CWE-913
Published December 3, 2025
Last update December 3, 2025

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution.

Key dates

02Disclosure timeline

December 3, 2025 CVE published
December 3, 2025 Record updated