First party retro Nintendo games on 3DS, Wii U, and Switch are vulnerable to a remote code execution, it has been discovered.
Named ENLBufferPwn, the vulnerability is exploited in an online game. GitHub (and Twitter) user PabloMK7 describes it as follows:
“ENLBufferPwn is a vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victim’s console by just having an online game with them (remote code execution). It was dicovered by multiple people independently during 2021 and reported to Nintendo during 2021 and 2022. Since the initial report, Nintendo has patched the vulnerability in many vulnerable games. The information in this repository has been safely disclosed after getting permission from Nintendo.
The vulnerability has scored a 9.8/10 (Criticl) in the CVSS 3.1 calculator.”
The information has also been shared on Twitter:
Vulnerabilities in older systems and games is a risk all retro gamers face. In the majority of cases, retro games are offline, considerably reducing the risks and all but ruling out completely the potential for a remote code execution exploit.
The retro Nintendo games at risk to ENLBufferPwn are:
- Mario Kart 7 (fixed in v1.2)
- Mario Kart 8 (still not fixed)
- Mario Kart 8 Deluxe (fixed in v2.1.0)
- Animal Crossing: New Horizons (fixed in v2.0.6)
- ARMS (fixed in v5.4.1)
- Splatoon (still not fixed)
- Splatoon 2 (fixed in v5.5.1)
- Splatoon 3 (fixed in late 2022, exact version unknown)
- Super Mario Maker 2 (fixed in v3.0.2)
- Nintendo Switch Sports (fixed in late 2022, exact version unknown)
- Probably more…
If for some reason your games in the list above are not updated, then now is the time to get online and run any pending updates. Clearly you’re at less risk of the remote code execution on Nintendo Switch than on a Wii U, but there is no indication whether Nintendo will issue an update for Mario Kart 8 or Splatoon at this point. Given the status of the Wii U’s online services, this seems unlikely.
(GitHub via NintendoPal)
Affiliate Disclosure: Some of the links in this post may be affiliate links, which means I may earn a small commission if you make a purchase through those links. This comes at no extra cost to you. Thank you for your support!
Christian Cawley is the founder and editor of GamingRetro.co.uk, a website dedicated to classic and retro gaming. With over 20 years of experience writing for technology and gaming publications, he brings considerable expertise and a lifelong passion for interactive entertainment, particularly games from the 8-bit and 16-bit eras.
Christian has written for leading outlets including TechRadar, Computer Weekly, Linux Format, and MakeUseOf, where he also served as Deputy Editor.
When he’s not exploring vintage consoles or retro PCs, Christian enjoys building with LEGO, playing cigar box guitar, and experimenting in the kitchen.
