CVE-2022-47949

Published: Dec 24, 2022Modified: Apr 14, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The Nintendo NetworkBuffer class, as used in Animal Crossing: New Horizons before 2.0.6 and other products, allows remote attackers to execute arbitrary code via a large UDP packet that causes a buffer overflow, aka ENLBufferPwn. The victim must join a game session with the attacker. Other affected products include Mario Kart 7 before 1.2, Mario Kart 8, Mario Kart 8 Deluxe before 2.1.0, ARMS before 5.4.1, Splatoon, Splatoon 2 before 5.5.1, Splatoon 3 before late 2022, Super Mario Maker 2 before 3.0.2, and Nintendo Switch Sports before late 2022.

Affected (10)

Products: Nintendo: Animal Crossing\, Arms, Mario Kart 7, Mario Kart 8, Splatoon, Splatoon 2, Splatoon 3, Super Mario Maker 2, Switch Sports

9 products

Configuration A

10 vulnerable

Vulnerable Software	Affected Versions
Nintendo Animal Crossing\	Before 2.0.6
Nintendo Arms	Before 5.4.1
Nintendo Mario Kart 7	Before 1.2
Nintendo Mario Kart 8	Before 2.1.0
Nintendo Mario Kart 8	All versions
Nintendo Splatoon	All versions
Nintendo Splatoon 2	Before 5.5.1
Nintendo Splatoon 3	All versions
Nintendo Super Mario Maker 2	Before 3.0.2
Nintendo Switch Sports	All versions

Related CWEs

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

References (2)

https://github.com/PabloMK7/ENLBufferPwn

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/PabloMK7/ENLBufferPwn

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.