cbcvebase.
CVE-2022-47949
published 2022-12-24

CVE-2022-47949: The Nintendo NetworkBuffer class, as used in Animal Crossing: New Horizons before 2.0.6 and other products, allows remote attackers to execute arbitrary code…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
16.89%
96.7th percentile
The Nintendo NetworkBuffer class, as used in Animal Crossing: New Horizons before 2.0.6 and other products, allows remote attackers to execute arbitrary code via a large UDP packet that causes a buffer overflow, aka ENLBufferPwn. The victim must join a game session with the attacker. Other affected products include Mario Kart 7 before 1.2, Mario Kart 8, Mario Kart 8 Deluxe before 2.1.0, ARMS before 5.4.1, Splatoon, Splatoon 2 before 5.5.1, Splatoon 3 before late 2022, Super Mario Maker 2 before 3.0.2, and Nintendo Switch Sports before late 2022.

Affected

6 ranges
VendorProductVersion rangeFixed in
nintendoanimal_crossing< 2.0.62.0.6
nintendoarms< 5.4.15.4.1
nintendomario_kart_7< 1.21.2
nintendomario_kart_8< 2.1.02.1.0
nintendosplatoon_2< 5.5.15.5.1
nintendosuper_mario_maker_2< 3.0.23.0.2

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit is delivered over UDP — a large/oversized UDP packet triggers a buffer overflow in the NetworkBuffer C++ class (enl/Net network library). Monitor for abnormally large UDP datagrams sent to Nintendo online gaming sessions.
  • The vulnerable component is the C++ class 'NetworkBuffer' inside the 'enl' or 'Net' network library present on Nintendo Switch, 3DS, and Wii consoles. Target detection at this class/library in firmware or memory analysis.
  • Exploitation requires the attacker to be in the same online game session as the victim. Suspicious co-session activity (e.g., unknown players joining) on affected Nintendo titles should be treated as a potential attack vector.
  • Successful exploitation results in remote code execution on the console. Post-exploitation forensics should look for unexpected process spawning or network callbacks from Nintendo console processes.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.