CVE-2022-47949
Published: 24 December 2022
Summary
CVE-2022-47949 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Nintendo Mario Kart 8. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a buffer overflow (CWE-120) in Nintendo's NetworkBuffer class, tracked as ENLBufferPwn. It affects multiple Nintendo Switch and 3DS titles including Animal Crossing: New Horizons before version 2.0.6, Mario Kart 7 before 1.2, Mario Kart 8 Deluxe before 2.1.0, ARMS before 5.4.1, Splatoon 2 before 5.5.1, Splatoon 3 before late 2022, Super Mario Maker 2 before 3.0.2, and Nintendo Switch Sports before late 2022, along with several earlier titles that received no updates.
An unauthenticated remote attacker can trigger arbitrary code execution by sending a single oversized UDP packet once the victim joins a multiplayer game session hosted or attended by the attacker. The flaw carries a CVSS 3.1 score of 9.8 and requires no user interaction beyond normal online play.
Public exploit code has been available on GitHub since disclosure. The associated EPSS score rose sharply from a low baseline to a peak of 0.5836 on 2025-12-11 before receding to the current value of 0.1326, indicating a period of increased exploitation interest after the initial announcement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-50681
Vulnerability details
The Nintendo NetworkBuffer class, as used in Animal Crossing: New Horizons before 2.0.6 and other products, allows remote attackers to execute arbitrary code via a large UDP packet that causes a buffer overflow, aka ENLBufferPwn. The victim must join a…
more
game session with the attacker. Other affected products include Mario Kart 7 before 1.2, Mario Kart 8, Mario Kart 8 Deluxe before 2.1.0, ARMS before 5.4.1, Splatoon, Splatoon 2 before 5.5.1, Splatoon 3 before late 2022, Super Mario Maker 2 before 3.0.2, and Nintendo Switch Sports before late 2022.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.