Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required.
AnalysisAI
Remote unauthenticated code execution and denial-of-service in Morse Micro HaLowLink 2 (versions prior to 2.11.13) allows attackers within radio range to corrupt kernel memory via a malformed 802.11ah beacon frame. The flaw resides in the morse.ko HaLow Wi-Fi kernel driver, which processes broadcast beacons during passive scanning, requiring no authentication or user interaction. No public exploit identified at time of analysis, but SSVC rates the technical impact as total and the issue as automatable, and a vendor patch is available.
Technical ContextAI
The vulnerability sits in the morse.ko Linux kernel module that implements support for IEEE 802.11ah (Wi-Fi HaLow), a sub-GHz long-range low-power Wi-Fi variant used in IoT gateways such as the HaLowLink 2. Inside page_slicing.c, the function morse_page_slicing_process_tim_element() parses the Traffic Indication Map (TIM) Information Element from incoming beacon frames and derives the bitmap length directly from an attacker-controlled IE field without bounds-checking against the fixed-size destination buffer. The unchecked length is then handed to memset and memcpy, producing a classic heap-based buffer overflow (CWE-122 class flaw, although the CWE is not formally assigned in the data) of up to 252 bytes of attacker-supplied data. Because TIM IEs are part of standard beacon parsing during passive scanning, the vulnerable code path executes against any radio-range transmitter regardless of association state.
RemediationAI
Vendor-released patch: HaLowLink 2 software version 2.11.13 or later, available per Morse Micro advisory MM-SA-2026-001 (https://www.morsemicro.com/security-advisories/MM-SA-2026-001); upgrade all affected devices as the primary remediation. Where immediate patching is not feasible, compensating controls include disabling the HaLow radio interface on exposed units (which eliminates the attack surface entirely but removes the device's primary function), physically relocating devices away from untrusted radio environments to shrink the effective attack range (limited by 802.11ah's sub-GHz long-range propagation, which can extend hundreds of meters), and monitoring kernel logs for repeated panics or driver crashes that may indicate exploitation attempts. Network-layer ACLs and authentication offer no protection because the vulnerable parsing occurs on broadcast beacon frames during passive scanning before any association.
More in Halowlink 2
View allRemote code execution and kernel-level denial of service in Morse Micro HaLowLink 2 devices running software prior to 2.
Heap out-of-bounds read in Morse Micro HaLowLink 2 prior to version 2.11.12 allows an unauthenticated attacker within 80
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34781
GHSA-wq9p-qhjj-gw6h