Description
A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required.
Published: 2026-06-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap-based buffer overflow exists in the Morse Micro HaLowLink 2 "morse.ko" Wi‑Fi kernel driver. When a beacon frame containing a malformed Traffic Indication Map Information Element is processed, the driver copies the TIM bitmap without bounds checking. This allows an attacker to inject up to 252 bytes of data beyond the destination buffer. Writing beyond the buffer can trigger a kernel panic (denial of service) or, if the overflow leads to execution of attacker‑controlled code, remote code execution with kernel privileges.

Affected Systems

Morse Micro HaLowLink 2 firmware prior to version 2.11.13. The issue affects all systems running the HaLow Wi‑Fi kernel driver "morse.ko" on this platform. Devices that receive beacon frames in the same radio range as the target are vulnerable.

Risk and Exploitability

The flaw can be abused by anyone within radio range without prior authentication, association or user interaction, because beacon frames are broadcast during passive scanning. Although an EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the high severity of a kernel‑level buffer overflow and the potential for remote code execution make the risk substantial. Attackers with knowledge of malformed beacon construction could readily deploy the exploit, especially on poorly secured wireless networks.

Generated by OpenCVE AI on June 5, 2026 at 04:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Morse Micro HaLowLink firmware to version 2.11.13 or later, which bounds‑checks the TIM bitmap length before copying data.
  • If an upgrade is not immediately possible, isolate the device from untrusted wireless traffic by implementing physical or logical separation (e.g., a dedicated VLAN, minimized beacon reception, or disabling the radio).
  • Deploy wireless intrusion‑prevention or monitoring that flags abnormal beacon frames or excessive TIM IE sizes, and consider rejecting or dropping such frames at the access point level.

Generated by OpenCVE AI on June 5, 2026 at 04:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required.
Title Heap buffer overflow in morse.ko TIM IE processing
First Time appeared Morsemicro
Morsemicro halow Link 2
CPEs cpe:2.3:o:morsemicro:halow_link_2:*:*:*:*:*:*:*:*
Vendors & Products Morsemicro
Morsemicro halow Link 2
References

Subscriptions

Morsemicro Halow Link 2
cve-icon MITRE

Status: PUBLISHED

Assigner: Bugcrowd

Published:

Updated: 2026-06-05T20:20:25.385Z

Reserved: 2026-05-04T05:03:00.671Z

Link: CVE-2026-7763

cve-icon Vulnrichment

Updated: 2026-06-05T20:20:21.265Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T02:17:14.640

Modified: 2026-06-05T21:16:31.080

Link: CVE-2026-7763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:30:30Z

Weaknesses