Skip to main content

Morse Micro HaLowLink 2 CVE-2026-7762

| EUVDEUVD-2026-34780 CRITICAL
2026-06-05 Bugcrowd GHSA-qm6x-8r68-vvv2
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 21:22 vuln.today
CVSS changed
Jun 05, 2026 - 21:22 NVD
9.8 (None) 9.8 (CRITICAL)
Patch available
Jun 05, 2026 - 04:16 EUVD
CVE Published
Jun 05, 2026 - 01:36 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction.

AnalysisAI

Remote code execution and kernel-level denial of service in Morse Micro HaLowLink 2 devices running software prior to 2.11.13 allows any attacker within 802.11ah radio range to corrupt kernel heap memory by broadcasting a malformed S1G Capabilities IE in a beacon or probe response frame. The flaw sits in the dot11ah.ko HaLow Wi-Fi driver and triggers during normal passive scanning, requiring no authentication, association, or user interaction. A vendor patch exists, but no public exploit identified at time of analysis and EPSS sits at 0.05% despite the CVSS 9.8 rating.

Technical ContextAI

The dot11ah.ko kernel module implements IEEE 802.11ah (Wi-Fi HaLow) - a sub-GHz long-range, low-power Wi-Fi variant used for IoT and industrial deployments - on Morse Micro HaLowLink 2 gateways (CPE cpe:2.3:a:morse_micro:halowlink_2). The vulnerable function morse_dot11ah_find_s1g_caps_for_bssid() parses the S1G Capabilities Information Element (IE element ID 0xD9) from received management frames and copies the IE payload into a fixed 15-byte stack/heap destination buffer using memcpy, sizing the copy from the untrusted 1-byte IE length field rather than the destination buffer size. Because 802.11 IE length is an unsigned 8-bit value, an attacker controls up to 255 bytes, producing a heap overflow of up to 240 bytes of attacker-controlled data into adjacent kernel allocations - a classic CWE-122 heap buffer overflow (no CWE was supplied in the record, but the description maps directly to this class).

RemediationAI

Apply the vendor-released patch by upgrading HaLowLink 2 software to version 2.11.13 or later as described in Morse Micro advisory MM-SA-2026-002 (https://www.morsemicro.com/security-advisories/MM-SA-2026-002); NVD tracking is at https://nvd.nist.gov/vuln/detail/CVE-2026-7762. Where immediate patching is not feasible, compensating controls are limited because the bug triggers during passive scanning of unauthenticated management frames: disable the HaLow radio interface on exposed gateways (eliminates the attack surface but breaks HaLow connectivity), restrict device deployment to RF-shielded or physically controlled environments to keep attackers out of sub-GHz radio range (operationally expensive and not feasible outdoors), or, if the driver exposes a configurable scan/channel allowlist, narrow it to known peers (reduces but does not eliminate exposure since beacons/probe responses on the operating channel will still be parsed). Monitor kernel logs for unexplained panics or oops traces in dot11ah.ko as a detection signal until the patch is rolled out.

Share

CVE-2026-7762 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy