Severe vulnerability, ENLBufferPwn, found in multiple Switch, 3DS, and Wii U games
A severe vulnerability known as ENLBufferPwn has been found in various Switch, 3DS, and Wii U games. PabloMK7, Rambo6Glaz, Fishguy6564 were credited for the discovery. The vulnerability, first uncovered in 2021, was already reported to Nintendo.
The exploit is especially significant since a victim’s device can be easily taken over. This can be done merely by having an online game session with an attacker. Given the 9.8/10 (Critical) score it received in the CVSS 3.1 calculator, that goes to show how serious it is.
When paired with other OS exploits, the attacker could achieve full takeover of the system. They could also steal sensitive information or take audio / video recordings.
Remember the version 1.2 update for Mario Kart 7 that just recently came out? Many were surprised that the game received a new patch after so many years. As it turns out, Nintendo was looking to fix the ENLBufferPwn exploit.
As you can see, Nintendo has started to address the situation. Outside of Mario Kart 7, the exploit was fixed in Mario Kart 8 Deluxe version 2.1.0, Animal Crossing: New Horizons version 2.0.6, ARMS version 5.4.1, Splatoon 2 version 5.5.1, and Super Mario Maker 2 version 3.0.2. It was also apparently taken care of in Splatoon 3 and Nintendo Switch Sports a little while back. However, Wii U titles that are impacted – such as Mario Kart 8 and the original Splatoon – have not been patched and it’s unclear if any updates are in the works. It’s also thought that there could be other games out there still impacted by the exploit.
For those that want to get into even more of the details behind the ENLBufferPwn exploit, you can visit the vulnerability report page here. We’d also suggest checking out the Twitter thread here.