CVE-2025-54065

Name of the Vulnerable Software and Affected Versions GZDoom versions 4.14.2 and earlier

Description GZDoom is a port for Doom engine games. In versions 4.14.2 and earlier, the ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution.

Recommendations Update to a version of GZDoom later than 4.14.2.