Remote Attack on Mario Kart 8 Deluxe Local Multiplayer via Malformed Browse-Reply Packet

CVE-2024-45200

What is CVE-2024-45200?

CVE-2024-45200 is a critical vulnerability identified in Nintendo's Mario Kart 8 Deluxe, a popular racing game that supports local multiplayer modes. This vulnerability stems from a flaw in the local multiplayer implementation, allowing nearby attackers to exploit it without direct interaction with the victim. By sending a specially crafted malformed packet during the "Wireless Play" or "LAN Play" session setup, an attacker can trigger a stack-based buffer overflow. This can lead to severe consequences, including denial-of-service attacks or even remote code execution on the victim's console, negatively impacting the gaming experience and posing security risks to users' devices.

Technical Details

This vulnerability arises from improper handling of deserialized session information within the Nintendo Pia library used in Mario Kart 8 Deluxe. Specifically, it is tied to how the game processes browse-reply packets in a local multiplayer context. When a player accesses the LAN or LDN menu and an attacker on the same network sends a malformed packet, the game may attempt to read this data without proper validation. The resulting buffer overflow can overwrite the stack memory, leading to unpredictable behavior and potential exploitation to run arbitrary code.

Impact of the Vulnerability

1. Denial of Service: Attackers can induce a crash in the game's process, rendering the multiplayer functionality inoperative for the user. This not only disrupts gameplay but can also affect overall user experience with the console.

2. Remote Code Execution: The flaw enables malicious actors to execute arbitrary code on the victim's console, which can lead to further exploitation, compromising the integrity of the system and potentially allowing for the installation of malware.

3. User Trust and Reputation Damage: Persistent exploitation of this vulnerability could undermine user trust in the security of Nintendo’s online services and products, damaging the brand reputation as players may reconsider their choices for multiplayer gaming experiences.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References