GZDoom’s Code Woes: When ZScript Mods Go Rogue!
GZDoom 4.13.1 and below have a curious bug where a massive array of integers in ZScript can lead to arbitrary code execution. It’s like giving your game a license to thrill—or crash. MITRE has reserved CVE-2024-54756 for this, and a patch is expected in version 4.13.2.

Hot Take:
Who knew a game engine like GZDoom could turn into a virtual minefield of security exploits? It seems like someone took the phrase “playing with fire” a bit too literally and decided to code it into the game. If you’re looking to dive into modding, maybe keep an extinguisher handy for your computer!
Key Points:
- GZDoom 4.13.1 and earlier versions are vulnerable to arbitrary code execution via ZScript.
- The exploit involves creating an enormous array in ZScript that overlaps with another, allowing memory manipulation.
- This flaw can be exploited by embedding malicious ZScript in mods or mapsets shared in the Doom community.
- The vulnerability has been reserved under CVE-2024-54756 and is expected to be patched in version 4.13.2.
- Additional low-hanging vulnerabilities were identified, but they were not deemed severe enough for CVE classification.
Already a member? Log in here