Skip to main content

HaLowLink 2 EUVDEUVD-2026-34189

| CVE-2026-7764 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-04 Bugcrowd GHSA-7c7h-p74x-w3h5
6.8
CVSS 3.1 · Vendor: Bugcrowd
Share

Severity by source

Vendor (Bugcrowd) PRIMARY
6.8 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Primary rating from Vendor (Bugcrowd) · only source for this CVE.

CVSS VectorVendor: Bugcrowd

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 04, 2026 - 14:27 vuln.today
CVSS changed
Jun 04, 2026 - 14:22 NVD
6.8 (MEDIUM)
Patch available
Jun 04, 2026 - 03:01 EUVD
CVE Published
Jun 04, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker within radio range to disclose a small amount of kernel heap memory or cause a Denial of Service (kernel oops/panic) via a crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element. The function morse_vendor_find_vendor_ie() does not validate the IE length against the expected structure size before its result is passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), which read at fixed offsets into the IE data. Because the length check only requires the IE to be longer than 3 bytes, an attacker can supply an undersized IE, causing a heap out-of-bounds read of up to 9 bytes. No authentication, association, or user interaction is required.

AnalysisAI

Heap out-of-bounds read in Morse Micro HaLowLink 2 prior to version 2.11.12 allows an unauthenticated attacker within 802.11ah radio range to disclose up to 9 bytes of kernel heap memory or trigger a kernel panic (DoS) by transmitting a crafted beacon or probe response frame containing a malformed Vendor Information Element. The morse.ko kernel driver function morse_vendor_find_vendor_ie() fails to validate IE body length against the expected structure size before downstream callers read at fixed offsets, requiring only that the IE length field exceed 3 bytes. No public exploit identified at time of analysis; EPSS places exploitation probability at 0.03% (8th percentile) with no CISA KEV listing, though the zero-prerequisite radio-range attack surface warrants prompt patching for HaLow-enabled deployments.

Technical ContextAI

The vulnerability resides in the morse.ko kernel module, the 802.11ah (Wi-Fi HaLow) driver component of Morse Micro's HaLowLink 2 software stack (CPE: cpe:2.3:a:morse_micro:halowlink_2:*:*:*:*:*:*:*:*). 802.11ah operates in the sub-1 GHz ISM band and is architected for extended-range IoT connectivity, where management frames such as beacons and probe responses are processed passively before any authentication or association occurs. The root cause is in morse_vendor_find_vendor_ie(), which parses Vendor Information Elements from received 802.11 management frames but applies only a threshold check (IE length > 3 bytes) rather than validating the IE body is large enough to satisfy the expected structure layout. The returned pointer is subsequently passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), both of which perform fixed-offset reads into the IE data without re-checking bounds. An undersized IE body causes these reads to extend up to 9 bytes beyond the allocated IE payload into adjacent kernel heap memory. Though no CWE was formally assigned by NVD, the flaw maps to CWE-125 (Out-of-bounds Read), consistent with the 'Buffer Overflow' and 'Denial Of Service' tags provided by intelligence sources.

RemediationAI

The primary remediation is to upgrade Morse Micro HaLowLink 2 to version 2.11.12 or later, which introduces proper IE length validation in morse_vendor_find_vendor_ie() against the expected structure size before fixed-offset reads are performed downstream. Upgrade guidance is available in vendor advisory MM-SA-2026-003 at https://www.morsemicro.com/security-advisories/MM-SA-2026-003. Where immediate patching is not operationally feasible, the most effective compensating control is to disable the HaLow (802.11ah) radio interface entirely, eliminating the attack surface at the cost of all HaLow connectivity. Alternatively, deploying physical RF access controls or directional antenna configurations to restrict attacker radio proximity reduces exploitability but does not eliminate it, given 802.11ah's extended sub-1 GHz range. Monitoring kernel logs (dmesg, crash dumps) for unexpected oops or panic events attributable to the morse.ko module can serve as a detection signal for exploitation attempts. No software-only workaround that preserves HaLow functionality has been identified in available data.

Share

EUVD-2026-34189 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy