Description
A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction.
Published: 2026-06-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap-based buffer overflow exists in the dot11ah.ko HaLow Wi‑Fi kernel driver of Morse Micro HaLowLink 2. The vulnerability is triggered when the driver processes an 802.11ah beacon or probe‑response frame that contains a malformed S1G Capabilities Information Element with an excessively long length field. Exploiting this flaw allows an unauthenticated attacker within radio range to overwrite up to 240 bytes of adjacent kernel heap memory, potentially causing a kernel panic or enabling arbitrary code execution.

Affected Systems

The affected product is Morse Micro HaLowLink 2 software versions earlier than 2.11.13. No other vendors or products are listed as impacted by this flaw.

Risk and Exploitability

Because the attack requires only the transmission of a crafted wireless frame and does not need any credentials or network access, the attack vector is wireless proximity. The CVSS and EPSS scores are not available, and the vulnerability is not listed in CISA’s KEV catalog, but the potential for denial of service or remote code execution on a kernel level makes the risk high for systems that expose a HaLow link. An attacker must be within radio range (~30 meters for 802.11ah) to deliver the payload, which reduces the overall likelihood of exploitation in the broader internet, though it remains a serious risk in shared or open wireless environments.

Generated by OpenCVE AI on June 5, 2026 at 04:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HaLowLink 2 to version 2.11.13 or later, which includes a patch for the buffer overflow flaw.
  • If an update is not immediately feasible, disable or restrict 802.11ah scanning on the affected interface to prevent reception of malicious beacon or probe‑response frames.
  • Monitor system logs for kernel panics or abnormal activity related to dot11ah.

Generated by OpenCVE AI on June 5, 2026 at 04:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-122

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction.
Title Heap buffer overflow in dot11ah.ko S1G Capabilities IE processing
First Time appeared Morsemicro
Morsemicro halow Link 2
CPEs cpe:2.3:o:morsemicro:halow_link_2:*:*:*:*:*:*:*:*
Vendors & Products Morsemicro
Morsemicro halow Link 2
References

Subscriptions

Morsemicro Halow Link 2
cve-icon MITRE

Status: PUBLISHED

Assigner: Bugcrowd

Published:

Updated: 2026-06-05T20:19:29.920Z

Reserved: 2026-05-04T05:02:07.918Z

Link: CVE-2026-7762

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T02:17:14.510

Modified: 2026-06-05T21:16:30.907

Link: CVE-2026-7762

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:30:30Z

Weaknesses