We store cookies, you can get more info from our privacy policy.

Major Security Vulnerability Disclosed In Multiple Nintendo Games

by Donald Theriault - December 24, 2022, 10:39 am EST
Total comments: 4 Source: GitHub, Twitter

That explains all those updates we've been getting this year.

Some older Nintendo games have been found to have security holes that can be exploited by simply playing online.

The "ENLBufferPwn" exploit, rated as a 9.8 / 10 (Critical) on the Common Vulnerability Scoring System (CVSS) scale, has been found in older Nintendo games dating back to Mario Kart 7 and can allow for a full takeover of the system by a third party. Potential uses include accessing saved payment information and using the 3DS and Wii U GamePad's built-in cameras and microphone to capture audio and video.

The vulnerability utilizes a "buffer overflow" attack as the affected games did not specify a limit to the amount of data that is sent in a game session; this is nominally some player data (such as a player's Mii in Mario Kart 7) but the lack of a limit could allow for a full takeover of the system - even without visible detection from the victim.

The vulnerability report shows the following games affected but warns that other first party titles could be involved:

  • 3DS: Mario Kart 7
  • Wii U: Splatoon, Mario Kart 8
  • Switch: Mario Kart 8 Deluxe, ARMS, Splatoon 2 / 3, Super Mario Maker 2, Animal Crossing: New Horizons, Nintendo Switch Sports

Mario Kart 7 recently received its first patch in over a decade to patch the issue, and the Switch titles have either been patched out-of-cycle or had the fix included in other feature updates. However, the Wii U games have not been patched as of press time, and it is not known if they will. The patch system of the 3DS, which requires downloading them from the eShop, also means that other vulnerable titles may not be fixed prior to the closure of the 3DS and Wii U eShops in February March.

Nintendo was notified of the vulnerability by the discovering parties prior to the disclosure through a bug bounty program, which allowed for the existing patches to be programmed.

The article has been corrected to reflect the proper date for the shutdown of 3DS and Wii U eShops.


pokepal148Spencer Johnson, Contributing WriterDecember 24, 2022

The only precedent for patches on previous nintendo eshops continuing to host patches is the Skyward Sword save channel on the Wii shop channel which I believe can still be downloaded for the first time today so there is some signs of encouragement there.

M.K.UltraDecember 24, 2022

I don't expect them to support online play for Splatoon 1 for very much longer since 3 is out. Same with MK8 on Wii U. Mario Maker might get support for a little longer that those two.

Mario Maker already lost online support, so I'm honestly surprised that they haven't taken the OG Splatoon and MK8 down.

ThePermDecember 24, 2022

I solved this problem by keeping my Wii U unplugged for the last 2 years

Got a news tip? Send it in!