Several of the first-party games from Nintendo on 3DS, Wii U, and Switch are vulnerable to an exploit that allows remote code execution.
This was reported through a GitHub page and an example was also demonstrated in a video. This was one of the reasons Nintendo decided to release a patch for Mario Kart 7 recently despite it being a decade-old game that launched for the Nintendo 3DS.
This exploit allows any hacker to execute a remote code on the target system i.e 3DS, Wii U, or Switch. All they need to do is to start an online match with the target machine. See the video in action below.
Here is ENLBufferPwn (CVE ID pending), a severe vulnerability in many first party 3DS, Wii U and Switch games. It allows remote code execution in a victim console by just having an online game session with an attacker.
🧵(1/7) pic.twitter.com/4qewU5YQ9x — PabloMK7 (@Pablomf6) December 24, 2022
Here is a list of the games that have been discovered to be vulnerable to this exploit. There are possibly more games that might be affected by this issue.
Mario Kart 8 Deluxe (fixed in v2.1.0)
Animal Crossing: New Horizons (fixed in v2.0.6)
Splatoon 3 (fixed in late 2022, exact version unknown)
Super Mario Maker 2 (fixed in v3.0.2)
Nintendo Switch Sports (fixed in late 2022, exact version unknown)
If you want to read more about the exploit, check up the GitHub page. It offers details on how this exploit works. It is being codenamed the ENLBufferPwn vulnerability and it is astonishing that this affects many games from Nintendo’s first-party studios, even the recently released Splatoon 3 was affected by it until it was patched later.
While these kinds of things are usually found for older consoles, they can still happen in some of the modern games which shows that this is an issue with how Nintendo has implemented multiplayer for its hardware.
There is a very rare chance that you might be affected by this exploit but it is better to be safe than sorry. This exploit will allow an attacker to record audio/video from your hardware as well as take any other sensitive information, so it is best to avoid playing these games for now.
Carozanty on December 26th, 2022 at 10:17 UTC »
for those curious about when the games were and when they were patched here it is:
Mario Kart 7, December 14, 2022 (fixed in v1.2) * Splatoon 2, November 15, 2022 (fixed in v5.5.1) Splatoon 3, fixed in late 2022, (exact version unknown) Nintendo Switch Sports, fixed in late 2022, (exact version unknown) ARMS, November 14, 2022 (fixed in v5.4.1) Mario Kart 8 Deluxe, August 4, 2022 (fixed version 2.1.0) Animal Crossing: New Horizons, November 14, 2022 (fixed in v2.0.6) Super Mario Maker 2 , November 14, 2022 (fixed in v3.0.2)Unpatched:
Mario Kart 8 (still not fixed) Splatoon (still not fixed)As far as I can find no other games have been found with this exploit, and as for what exactly the exploit allows read this https://github.com/PabloMK7/ENLBufferPwn
TLDR is that it depends on the game and console, some would allow as little as repeatedly opening and closing the home menu on the 3DS to more severe actions like taking full control of the console, for the most part, it is more severe for the 3ds with it's weaker security measures. The switch would be notably harder to hack as it's security is better, moreover, it's unlikely one would be able to obtain critical data (personal data, credit/debit card, PayPal) from your consoles using this exploit so no need to stress over it.
Also credit to PabloMK7, Rambo6Glaz, Fishguy6564, for finding, reporting and working with Nintendo to fix the bug in a timely manner.
BaneBlaze on December 26th, 2022 at 08:15 UTC »
All of the games posted for switch have been patched.
Are there any updated lists of switch games still awaiting a patch?
Or is this all just a little sensational?
mostoriginalusername on December 26th, 2022 at 07:25 UTC »
Well looks like we know how we're going to be soft modding these consoles in the near future haha