How to fix CVE-2025-54065?

Within 24 hours: Inventory all systems running GZDoom 4.14.2 or earlier and assess exposure to untrusted content sources. Within 7 days: Implement network segmentation to isolate affected systems and disable GZDoom on high-value assets if not business-critical. Within 30 days: Monitor vendor releases for patches and develop a deployment plan; consider alternative game engines for new projects until patches are available.

Is Debian affected by CVE-2025-54065?

GZDoom versions 4.14.2 and earlier contain a critical vulnerability allowing arbitrary code execution through malicious scripts. Organizations using GZDoom for gaming, modding, or simulation purposes face risk of system compromise if users load untrusted content or mods.

CVE-2025-54065

EUVD-2025-201101 HIGH

2025-12-03 [email protected]

7.9

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 16:14 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 16:14 euvd

EUVD-2025-201101

CVE Published

Dec 03, 2025 - 17:15 nvd

HIGH 7.9

Description

GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution.

Analysis

Technical Context

Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication. This vulnerability is classified as Improper Control of Dynamically-Managed Code Resources (CWE-913).

Remediation

Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +40

POC: 0

Vendor Status

Debian

Bug #609352

gzdoom

Release	Status	Fixed Version	Urgency
	open	-	-

CVE-2025-54065 vulnerability details – vuln.today

Back

CVE-2025-54065

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Vendor Status

Debian

Share

CVE-2025-54065

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Vendor Status

Debian

Share

External POC / Exploit Code