Skip to main content

Debian EUVDEUVD-2025-201101

| CVE-2025-54065 HIGH
Improper Control of Dynamically-Managed Code Resources (CWE-913)
2025-12-03 security-advisories@github.com
7.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.9 HIGH
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 16:14 euvd
EUVD-2025-201101
Analysis Generated
Mar 15, 2026 - 16:14 vuln.today
CVE Published
Dec 03, 2025 - 17:15 nvd
HIGH 7.9

DescriptionGitHub Advisory

GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution.

Analysis

GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution.

Technical ContextAI

Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication. This vulnerability is classified as Improper Control of Dynamically-Managed Code Resources (CWE-913).

RemediationAI

Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.

Vendor StatusVendor

Debian

Bug #609352
gzdoom
Release Status Fixed Version Urgency
open - -

Share

EUVD-2025-201101 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy