Front-page
Updated
ENLBufferPwn: Severe vulnerability in first party 3DS, Wii U and Switch games
ENLBufferPwn (CVE-2022-47949) is a vulnerability in the network code used in many first party Nintendo games since the 3DS. Combined with the right techniques, it allows remote code execution in the victim's console by just having an online game session with the attacker. The vulnerability was discovered by multiple people independently during 2021 and reported to Nintendo during 2021/2022. The severity of the vulnerability has been calculated as 9.8/10 (Critical) by the CVSS 3.1 calculator.
Combined with other OS vulnerabilities, full remote console takeover can be achieved. This has been demonstrated in the case of Mario Kart 7, where a payload is sent to launch SafeB9SInstaller. However, it is theoretically possible to do other malicious activities, such as stealing account/credit card information or taking unauthorized audio/video recordings using the console built-in mic/cameras.
Here is a list of games that are known to have had the vulnerability at some point (all the Switch and 3DS games listed have received updates that patch the vulnerability, so they are no longer affected):
- Mario Kart 7 (fixed in v1.2)
- Mario Kart 8 (still not fixed)
- Mario Kart 8 Deluxe (fixed in v2.1.0)
- Animal Crossing: New Horizons (fixed in v2.0.6)
- ARMS (fixed in v5.4.1)
- Splatoon (still not fixed)
- Splatoon 2 (fixed in v5.5.1)
- Splatoon 3 (fixed in late 2022, exact version unknown)
- Super Mario Maker 2 (fixed in v3.0.2)
- Nintendo Switch Sports (fixed in late 2022, exact version unknown)
- Probably more...
A full report of the vulnerability can be found in the following GitHub repository.
Full vulnerability report (GitHub)
Last edited by PabloMK7,
