Skip to main content

Morse Micro HaLowLink 2 CVE-2026-7763

| EUVDEUVD-2026-34781 CRITICAL
2026-06-05 Bugcrowd GHSA-wq9p-qhjj-gw6h
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 21:22 vuln.today
CVSS changed
Jun 05, 2026 - 21:22 NVD
9.8 (None) 9.8 (CRITICAL)
Patch available
Jun 05, 2026 - 04:16 EUVD
CVE Published
Jun 05, 2026 - 01:39 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required.

AnalysisAI

Remote unauthenticated code execution and denial-of-service in Morse Micro HaLowLink 2 (versions prior to 2.11.13) allows attackers within radio range to corrupt kernel memory via a malformed 802.11ah beacon frame. The flaw resides in the morse.ko HaLow Wi-Fi kernel driver, which processes broadcast beacons during passive scanning, requiring no authentication or user interaction. No public exploit identified at time of analysis, but SSVC rates the technical impact as total and the issue as automatable, and a vendor patch is available.

Technical ContextAI

The vulnerability sits in the morse.ko Linux kernel module that implements support for IEEE 802.11ah (Wi-Fi HaLow), a sub-GHz long-range low-power Wi-Fi variant used in IoT gateways such as the HaLowLink 2. Inside page_slicing.c, the function morse_page_slicing_process_tim_element() parses the Traffic Indication Map (TIM) Information Element from incoming beacon frames and derives the bitmap length directly from an attacker-controlled IE field without bounds-checking against the fixed-size destination buffer. The unchecked length is then handed to memset and memcpy, producing a classic heap-based buffer overflow (CWE-122 class flaw, although the CWE is not formally assigned in the data) of up to 252 bytes of attacker-supplied data. Because TIM IEs are part of standard beacon parsing during passive scanning, the vulnerable code path executes against any radio-range transmitter regardless of association state.

RemediationAI

Vendor-released patch: HaLowLink 2 software version 2.11.13 or later, available per Morse Micro advisory MM-SA-2026-001 (https://www.morsemicro.com/security-advisories/MM-SA-2026-001); upgrade all affected devices as the primary remediation. Where immediate patching is not feasible, compensating controls include disabling the HaLow radio interface on exposed units (which eliminates the attack surface entirely but removes the device's primary function), physically relocating devices away from untrusted radio environments to shrink the effective attack range (limited by 802.11ah's sub-GHz long-range propagation, which can extend hundreds of meters), and monitoring kernel logs for repeated panics or driver crashes that may indicate exploitation attempts. Network-layer ACLs and authentication offer no protection because the vulnerable parsing occurs on broadcast beacon frames during passive scanning before any association.

Share

CVE-2026-7763 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy