Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction.
AnalysisAI
Remote code execution and kernel-level denial of service in Morse Micro HaLowLink 2 devices running software prior to 2.11.13 allows any attacker within 802.11ah radio range to corrupt kernel heap memory by broadcasting a malformed S1G Capabilities IE in a beacon or probe response frame. The flaw sits in the dot11ah.ko HaLow Wi-Fi driver and triggers during normal passive scanning, requiring no authentication, association, or user interaction. A vendor patch exists, but no public exploit identified at time of analysis and EPSS sits at 0.05% despite the CVSS 9.8 rating.
Technical ContextAI
The dot11ah.ko kernel module implements IEEE 802.11ah (Wi-Fi HaLow) - a sub-GHz long-range, low-power Wi-Fi variant used for IoT and industrial deployments - on Morse Micro HaLowLink 2 gateways (CPE cpe:2.3:a:morse_micro:halowlink_2). The vulnerable function morse_dot11ah_find_s1g_caps_for_bssid() parses the S1G Capabilities Information Element (IE element ID 0xD9) from received management frames and copies the IE payload into a fixed 15-byte stack/heap destination buffer using memcpy, sizing the copy from the untrusted 1-byte IE length field rather than the destination buffer size. Because 802.11 IE length is an unsigned 8-bit value, an attacker controls up to 255 bytes, producing a heap overflow of up to 240 bytes of attacker-controlled data into adjacent kernel allocations - a classic CWE-122 heap buffer overflow (no CWE was supplied in the record, but the description maps directly to this class).
RemediationAI
Apply the vendor-released patch by upgrading HaLowLink 2 software to version 2.11.13 or later as described in Morse Micro advisory MM-SA-2026-002 (https://www.morsemicro.com/security-advisories/MM-SA-2026-002); NVD tracking is at https://nvd.nist.gov/vuln/detail/CVE-2026-7762. Where immediate patching is not feasible, compensating controls are limited because the bug triggers during passive scanning of unauthenticated management frames: disable the HaLow radio interface on exposed gateways (eliminates the attack surface but breaks HaLow connectivity), restrict device deployment to RF-shielded or physically controlled environments to keep attackers out of sub-GHz radio range (operationally expensive and not feasible outdoors), or, if the driver exposes a configurable scan/channel allowlist, narrow it to known peers (reduces but does not eliminate exposure since beacons/probe responses on the operating channel will still be parsed). Monitor kernel logs for unexplained panics or oops traces in dot11ah.ko as a detection signal until the patch is rolled out.
More in Halowlink 2
View allRemote unauthenticated code execution and denial-of-service in Morse Micro HaLowLink 2 (versions prior to 2.11.13) allow
Heap out-of-bounds read in Morse Micro HaLowLink 2 prior to version 2.11.12 allows an unauthenticated attacker within 80
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34780
GHSA-qm6x-8r68-vvv2