CVE-2025-54065 is a vulnerability classified under CWE-913 (Improper Control of Dynamically-Managed Code Resources) affecting GZDoom, an open-source port of the Doom engine used for running Doom engine games. Specifically, in versions 4.14.2 and earlier, the ZScript actor state handling mechanism is flawed. The vulnerability arises because scripts can manipulate FState and VMFunction structures, which are used to manage actor states and virtual machine functions respectively. By copying these structures into writable buffers, an attacker-controlled script can modify function pointers and state transitions. This manipulation allows the script to write constants into the Just-In-Time (JIT) compiled code section and redirect the control flow to attacker-controlled bytecode. Consequently, an attacker with the ability to run scripts locally can execute arbitrary code within the context of the GZDoom process. The CVSS v3.1 score is 7.8, indicating high severity, with attack vector being local (AV:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact on confidentiality and integrity is high, while availability is not affected. No patches are currently linked, and no known exploits are reported in the wild. This vulnerability is critical for environments where GZDoom is used and where malicious local users or scripts could be introduced.

For European organizations, the impact of CVE-2025-54065 can be significant in contexts where GZDoom is deployed, such as gaming communities, educational institutions teaching game development, or software developers using the engine for projects. Successful exploitation can lead to arbitrary code execution, allowing attackers to compromise system confidentiality and integrity. This could result in unauthorized access to sensitive data, manipulation of game or application logic, or use of the compromised system as a foothold for further attacks within a network. Although the attack requires local access and user interaction, insider threats or compromised user accounts could leverage this vulnerability. The lack of availability impact reduces the risk of denial-of-service but does not mitigate the risk of data breaches or system compromise. European organizations with lax local user controls or those that allow execution of untrusted scripts in GZDoom environments are at higher risk. Additionally, the vulnerability could be leveraged in targeted attacks against developers or communities using GZDoom, potentially affecting intellectual property or user data.

1. Restrict script execution privileges within GZDoom environments to trusted users only, minimizing the risk of malicious script execution. 2. Implement strict local user access controls and monitor for unauthorized script activity or unusual modifications to FState and VMFunction structures. 3. Apply patches or updates from the GZDoom project as soon as they become available to address this vulnerability. 4. Use application whitelisting or sandboxing to limit the ability of scripts to write to executable memory regions. 5. Educate users and developers about the risks of running untrusted scripts and the importance of verifying script sources. 6. Employ runtime monitoring tools that can detect anomalous JIT code modifications or control flow redirections within GZDoom processes. 7. If patching is delayed, consider disabling or limiting the use of ZScript features that allow dynamic state manipulation. 8. Regularly audit GZDoom installations and configurations to ensure compliance with security best practices.