It appears that Nintendo has been silently working behind the scenes to keep 3DS, Wii U, and Switch players safe from a “severe” exploit while they are gaming online.

The recently-uncovered exploit, titled “ENLBufferPwn”, allows hackers to remotely execute code in a victim’s 3DS/Wii U/Switch system by simply sharing an online game session in first party 3DS, Wii U and Switch games.  This essentially allows a “full console takeover” where a hacker can steal sensitive information or take audio/video recordings from the victim’s 3DS/Wii U/Switch system.

This security vulnerability is considered so serious that it has been rated with a “critical score” of 9.8/10 in the Common Vulnerability Scoring System Version (CVSS). It was apparently reported via Nintendo’s HackerOne program sometime in 2021/2022 by @Pablomf6, who received a $1000 “bounty” as a reward for doing so.

Since then, it is understood that the following titles are affected by the exploit, with Nintendo attempting to patch it out (list courtesy of PabloMK7, Rambo6Glaz, and Fishguy6564):

• Mario Kart 7 (fixed in v1.2)
• Mario Kart 8
• Mario Kart 8 Deluxe (fixed in v2.1.0)
• Animal Crossing: New Horizons (fixed in v2.0.6)
• ARMS (fixed in v5.4.1)
• Splatoon
• Splatoon 2 (fixed in v5.5.1)
• Splatoon 3 (fixed in late 2022, exact version unknown)
• Super Mario Maker 2 (fixed in v3.0.2)
• Nintendo Switch Sports (fixed in late 2022, exact version unknown)

It is unknown if any other Nintendo-developed games are affected by the issue. We’ll report back if we hear more in the future.