CVE-2024-45200 is a stack-based buffer overflow vulnerability discovered in Nintendo Mario Kart 8 Deluxe prior to version 3.0.3, specifically within the LAN/LDN local multiplayer implementation. The flaw arises from improper handling and deserialization of session information in browse-reply packets, which are used to discover and join multiplayer sessions over local networks. An attacker located on the same LAN or physically nearby (in the case of LDN) can send a specially crafted malformed browse-reply packet to a victim's console. The victim only needs to open the Wireless Play or LAN Play menu on the game’s title screen, which triggers the vulnerable code path. No further interaction, such as joining a game session, is necessary for exploitation. The vulnerability stems from incorrect use of the Nintendo Pia library, leading to a stack-based buffer overflow during packet processing. Successful exploitation can result in a complete denial-of-service (crashing the game process) or potentially remote code execution, allowing the attacker to run arbitrary code on the victim’s console. The CVSS 3.1 base score is 6.3, indicating medium severity, with an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts to confidentiality, integrity, and availability. No public exploits have been reported yet, and no official patches or updates have been linked at the time of publication. This vulnerability highlights risks in local multiplayer features that rely on network packet deserialization without sufficient input validation or memory safety checks.

The primary impact of CVE-2024-45200 is on the availability and integrity of the Mario Kart 8 Deluxe game process on Nintendo Switch consoles. An attacker on the same LAN or physically nearby can cause the game to crash, resulting in denial-of-service and disruption of gameplay. More critically, the buffer overflow could allow remote code execution, which may enable an attacker to execute arbitrary code on the victim’s console. This could lead to unauthorized control over the device, potentially compromising user data, game integrity, or even broader system security depending on the console’s security architecture. Although exploitation requires network proximity and the victim opening the Wireless or LAN Play menu, the lack of need for user interaction beyond that and no privilege requirements lower the barrier to attack. For organizations or individuals using Nintendo Switch consoles in shared environments such as gaming cafes, tournaments, or LAN parties, this vulnerability could be leveraged to disrupt events or compromise devices. The absence of known exploits reduces immediate risk, but the potential for remote code execution elevates the threat if weaponized. Overall, the impact is significant for affected users but limited in scope to local network environments.

To mitigate CVE-2024-45200, affected users should update Mario Kart 8 Deluxe to version 3.0.3 or later as soon as the patch becomes available from Nintendo. Until patched, users should avoid opening the Wireless Play or LAN Play menus in untrusted or public LAN environments to reduce exposure. Network administrators in environments with Nintendo Switch consoles should segment and isolate gaming devices on separate VLANs or subnets to limit LAN-based attack vectors. Employing network monitoring to detect anomalous or malformed browse-reply packets targeting Switch consoles can provide early warning of exploitation attempts. Additionally, Nintendo should review and improve input validation and memory safety in the Pia library and related multiplayer code to prevent similar deserialization vulnerabilities. Users should also disable local multiplayer features if not needed. For event organizers, ensuring consoles are updated and restricting network access during tournaments can reduce risk. Finally, educating users about the risks of local network attacks and encouraging cautious use of multiplayer menus can help mitigate exploitation.