Heads-Up, Nintendo Is Scrambling To Patch Major Security Flaws In These Popular Games

mario kart 8 deluxe battle
You're sitting there, playing Mario Kart online on the brand-new Nintendo Switch you got over the holidays. All of a sudden, you get booted back to the home screen on the Switch. You reconnect to the game, only for it to happen again. Thanks to a security vulnerability found in numerous first party Nintendo titles dating back to the Nintendo 3DS, this very well could be a reality.

First found in Mario Kart 7 for the Nintendo 3DS the vulnerability is known as ENLBufferPwn. ENLBufferPwn allows a remote attacker to execute code on a 3DS or potentially a Nintendo Switch by exploiting two functions in the code for the games, Add and Set.

The functions in question receive network buffer information from other players, this is usually information such as track position, possibly the speed of the player so graphics can display the opponent properly, and so on. Unfortunately though, neither of the functions actually check the size of the network buffer on the incoming data. Because of this, a false network buffer can be put into the code being sent and in turn create buffer overflow allowing remote code execution.

yoshi mario kart 7
Yoshi in Mario Kart 7

This lack of checks is particularly severe in that all that is necessary to execute this remote attack is for the attacker to just be in the same game session as the victim. The full details on the attack were recently published in a GitHub by PabloMK7, a developer of a mod pack for Mario Kart 7 for the Nintendo 3DS.

Nintendo allowed publication of the details after they have already patched a number of titles. Those titles that have been patched so far are as follows.
  • Mario Kart 7 (fixed in v1.2)
  • Mario Kart 8 Deluxe (fixed in v2.1.0)
  • Animal Crossing: New Horizons (fixed in v2.0.6)
  • ARMS (fixed in v5.4.1)
  • Splatoon 2 (fixed in v5.5.1)
  • Splatoon 3 (fixed in late 2022, exact version unknown)
  • Super Mario Maker 2 (fixed in v3.0.2)
  • Nintendo Switch Sports (fixed in late 2022, exact version unknown)

splatoon 3 switch
Splatoon 3 Screenshot

PabloMK7 pointed out that there are likely many other titles impacted by this vulnerability. It does look like Nintendo is taking into consideration games that it doesn't necessarily directly support anymore though, based on the list above. However Splatoon's first release and Mario Kart 8 (non-deluxe) still remain unpatched. Hopefully that will change and more get patched soon.