Description
A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required.
Published: 2026-06-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap‑based buffer overflow in the Morse Micro HaLowLink 2 "morse.ko" Wi‑Fi kernel driver. When a beacon frame containing a malformed Traffic Indication Map Information Element is processed, the driver copies the TIM bitmap without bounds checking, allowing up to 252 bytes of attacker‑controlled data to be written beyond the destination buffer. Writing beyond the buffer can trigger a kernel panic (denial of service) or, if the overflow leads to execution of attacker‑controlled code, remote code execution with kernel privileges.

Affected Systems

Morse Micro HaLowLink 2 firmware versions prior to 2.11.13. The issue affects all systems running the HaLow Wi‑Fi kernel driver "morse.ko" on this platform. Devices that receive beacon frames in the same radio range as the target are vulnerable.

Risk and Exploitability

The flaw can be abused by anyone within radio range, as beacon frames are broadcast during passive scanning. The likely attack vector is the transmission of a crafted 802.11ah beacon frame containing a malformed TIM Information Element, which requires no authentication, association, or user interaction. The CVSS score of 9.8 highlights the critical severity, while the EPSS score of below 1% indicates a very low exploitation probability at this time, and the vulnerability is not listed in the CISA KEV catalog. Despite the low exploitation probability, the potential for kernel‑level remote code execution remains a substantial risk for affected devices.

Generated by OpenCVE AI on June 6, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Morse Micro HaLowLink firmware to version 2.11.13 or later, which bounds‑checks the TIM bitmap length before copying data.
  • If an upgrade is not immediately possible, isolate the device from untrusted wireless traffic by implementing physical or logical separation (e.g., a dedicated VLAN, minimized beacon reception, or disabling the radio).
  • Deploy wireless intrusion‑prevention or monitoring that flags abnormal beacon frames or excessive TIM IE sizes, and consider rejecting or dropping such frames at the access point level.

Generated by OpenCVE AI on June 6, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required.
Title Heap buffer overflow in morse.ko TIM IE processing
First Time appeared Morsemicro
Morsemicro halow Link 2
CPEs cpe:2.3:o:morsemicro:halow_link_2:*:*:*:*:*:*:*:*
Vendors & Products Morsemicro
Morsemicro halow Link 2
References

Subscriptions

Morsemicro Halow Link 2
cve-icon MITRE

Status: PUBLISHED

Assigner: Bugcrowd

Published:

Updated: 2026-06-05T20:20:25.385Z

Reserved: 2026-05-04T05:03:00.671Z

Link: CVE-2026-7763

cve-icon Vulnrichment

Updated: 2026-06-05T20:20:21.265Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T02:17:14.640

Modified: 2026-06-05T21:16:31.080

Link: CVE-2026-7763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T01:30:06Z

Weaknesses

No weakness.