CVE-2022-47949: Critical RCE flaw affects multiple Nintendo games

CVE-2022-47949

A proof-of-concept (PoC) exploit and technical detail related to a remote code execution vulnerability affecting multiple Nintendo games and patched by Nintendo during 2021 and 2022 was published online.

Identified as CVE-2022-47949, the security issue could allow an attacker to execute code remotely in the victim’s console by just having an online game with them. The vulnerability has scored a 9.8/10 (Critical) in the CVSS 3.1 calculator.

The C++ class NetworkBuffer is present in the network library enl (Net in Mario Kart 7) used by many first-party Nintendo games. The vulnerability is caused by improper bounds checking by the NetworkBuffer class. By sending a specially-crafted UDP packet, a remote attacker could overflow a buffer and execute arbitrary code on the system. Researchers codenamed the vulnerability “ENLBufferPwn.”

CVE-2022-47949

“The ENLBufferPwn vulnerability exploits a buffer overflow in the C++ class NetworkBuffer present in the network library enl(Netin Mario Kart 7) used by many first party Nintendo games. This class contains two methods Add and Set which fill a network buffer with data coming from other players. However, none of those methods check that the input data actually fits in the network buffer. Since the input data is controllable, a buffer overflow can be triggered on a remote console by just having an online game session with the attacker,” PabloMK7 wrote.

PabloMK7 also shared a proof-of-concept video showing how to exploit ENLBufferPwn in Mario Kart 7.

The CVE-2022-47949 vulnerability has been tested and confirmed to be successfully working on the following games:

  • Mario Kart 7 (fixed in v1.2)
  • Mario Kart 8
  • Mario Kart 8 Deluxe (fixed in v2.1.0)
  • Animal Crossing: New Horizons (fixed in v2.0.6)
  • ARMS (fixed in v5.4.1)
  • Splatoon
  • Splatoon 2 (fixed in v5.5.1)
  • Splatoon 3 (fixed in late 2022, exact version unknown)
  • Super Mario Maker 2 (fixed in v3.0.2)
  • Nintendo Switch Sports (fixed in late 2022, exact version unknown)
  • Probably more…

Nintendo has patched the vulnerability in many vulnerable games. Users are recommended to upgrade their games to the fixed version.