ENLBufferPwn (CVE-2022-47949) is a vulnerability in the network code used in many first party Nintendo games since the 3DS. Combined with the right techniques, it allows remote code execution in the victim's console by just having an online game session with the attacker. The vulnerability was discovered by multiple people independently during 2021 and reported to Nintendo during 2021/2022. The severity of the vulnerability has been calculated as 9.8/10 (Critical) by the CVSS 3.1 calculator.

Combined with other OS vulnerabilities, full remote console takeover can be achieved. This has been demonstrated in the case of Mario Kart 7, where a payload is sent to launch SafeB9SInstaller. However, it is theoretically possible to do other malicious activities, such as stealing account/credit card information or taking unauthorized audio/video recordings using the console built-in mic/cameras.

Here is a list of games that are known to have had the vulnerability at some point (all the Switch and 3DS games listed have received updates that patch the vulnerability, so they are no longer affected):

• Mario Kart 7 (fixed in v1.2)
• Mario Kart 8 (still not fixed)
• Mario Kart 8 Deluxe (fixed in v2.1.0)
• Animal Crossing: New Horizons (fixed in v2.0.6)
• ARMS (fixed in v5.4.1)
• Splatoon (still not fixed)
• Splatoon 2 (fixed in v5.5.1)
• Splatoon 3 (fixed in late 2022, exact version unknown)
• Super Mario Maker 2 (fixed in v3.0.2)
• Nintendo Switch Sports (fixed in late 2022, exact version unknown)
• Probably more...

Below you can find proof of concept videos showcasing the vulnerability in Mario Kart 7 and Mario Kart 8.





A full report of the vulnerability can be found in the following GitHub repository.
Full vulnerability report (GitHub)

 

[Reploid]

So that's what MKart 7 update was all about.

 

[linuxares]

So that's what MKart 7 update was all about.

It would explain a lot wouldn't it.

 

[Foxi4]

Don’t store payment details on your console, use 2FA - always been my policy. Recommend that others do the same.

 

[linuxares]

I wonder how far up the line it can go on the Switch.

 

[pustal]

Don’t store payment details on your console, use 2FA - always been my policy. Recommend that others do the same.

Use digital one use cards. Even if you delete them, with some companies history I wouldn't be surprised the infor prevailed somehow in their servers.

 

[hippy dave]

I wonder how far up the line it can go on the Switch.

It's an entry point, so you won't get a full hack without chaining it to a kernel exploit etc. Unfortunately those are believed not to exist on current firmware, but if someone has a console on old firmware that's already susceptible to pegascape, they could probably exploit it through Mario Kart instead for the lols.

 

[Osakasan]

Aaand this is why we cant have nice things.

 

[Latiodile]

Use digital one use cards. Even if you delete them, with some companies history I wouldn't be surprised the infor prevailed somehow in their servers.

those don't exist in some countries, like canada

 

[Brandoman142]

those don't exist in some countries, like canada

There actually is one company that provides digital credit cards in Canada. "float" is the vendor

 

[Purple_Shyguy]

Your telling me it's possible people were watching me playing Mario Kart 7 naked through the 0.2 megapixel inner cameras?

 

[linuxares]

Your telling me it's possible people were watching me playing Mario Kart 7 naked through the 0.2 megapixel inner cameras?

In 3d!

 

[Mhetralla]

Woah, this is big. Not everyday is a multi-console exploitable vulnerability found.

Spoiler

I wonder if we could use this to launch homebrew on the OLED, without using any hardware mod...

 

[Latiodile]

There actually is one company that provides digital credit cards in Canada. "float" is the vendor

that's an impressively vague name for a service, no wonder i've never heard of it... and can't find any results for it

 

[ChibiMofo]

Don’t store payment details on your console, use 2FA - always been my policy. Recommend that others do the same.

Don't pay for games at can be pirated (read as: stolen). That's always been my policy. Recommend that others do the same.

 

[SG854]

I'm never conecting to the internet ever again

 

[DarkCoffe64]

Lmao, not only is their online services complete ass, now this too! Has this crap like ever happened on them Sony consoles or Microsoft? Genuinely asking because I'm not sure, heh.
At least it seems they've been stepping up their game to fix this shit, but damn, just... Craptendo and anything regarding the internet are basically opposites of each other, heh.

 

[SylverReZ]

I was curious on why MK7 had an update. This exploit can make installing CFW quicker without having to resort to ntrboot and all sorts.

 

[PopcornSweetie]

Lmao, not only is their online services complete ass, now this too! Has this crap like ever happened on them Sony consoles or Microsoft? Genuinely asking because I'm not sure, heh.
At least it seems they've been stepping up their game to fix this shit, but damn, just... Craptendo and anything regarding the internet are basically opposites of each other, heh.

All i know is that both Sony and Microsoft got their servers hacked a couple or times (especially in the PS3/X360 era)

 

[SG854]

Lmao, not only is their online services complete ass, now this too! Has this crap like ever happened on them Sony consoles or Microsoft? Genuinely asking because I'm not sure, heh.
At least it seems they've been stepping up their game to fix this shit, but damn, just... Craptendo and anything regarding the internet are basically opposites of each other, heh.

There was the Sony 2011 hack. Their PSN internet was down for almost a whole month, 23 days. I remember that.