CVE-2026-7764 - Vulnerability Details

Description

An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker within radio range to disclose a small amount of kernel heap memory or cause a Denial of Service (kernel oops/panic) via a crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element. The function morse_vendor_find_vendor_ie() does not validate the IE length against the expected structure size before its result is passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), which read at fixed offsets into the IE data. Because the length check only requires the IE to be longer than 3 bytes, an attacker can supply an undersized IE, causing a heap out-of-bounds read of up to 9 bytes. No authentication, association, or user interaction is required.

Published: 2026-06-04

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an out‑of‑bounds read in the kernel driver morse.ko used by Morse Micro HaLowLink 2. An attacker can craft a malformed Vendor Information Element in an 802.11ah beacon or probe response. The driver fails to validate the IE length before accessing fixed offsets inside the IE, allowing a small heap leak of up to nine bytes. The same flaw can trigger a kernel panic, resulting in a denial of service. No authentication, association, or user interaction is required – the attacker only needs to be within radio range.

Affected Systems

Morse Micro HaLowLink 2, all software releases prior to version 2.11.12. The affected component is the HaLow 802.11ah kernel driver within the HaLowLink 2 firmware stack.

Risk and Exploitability

The EPSS score is not available and this issue is not listed in CISA KEV, but the weakness enables local attackers in radio proximity to read sensitive kernel memory and disrupt system availability. The exploit involves sending a single crafted frame, so the barrier to exploitation is low for an attacker with wireless access to the target device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Morse Micro

HaLowLink 2

unaffected

Version	Status	Constraints
`0`	affected	< 2.11.12

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the HaLowLink 2 firmware to version 2.11.12 or later, which includes a validation check on the Vendor IE length.
If an upgrade cannot be performed immediately, block or filter 802.11ah beacon and probe response frames that contain Vendor Information Elements, or disable the faulty driver feature via device configuration if possible.
Continuously monitor the wireless interface for malformed 802.11ah frames and apply network‑level filtering to suppress suspicious traffic until a patch is applied.

Generated by OpenCVE AI on June 4, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.morsemicro.com/security-advisories/MM-SA-2026-003

History

Thu, 04 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-200

Thu, 04 Jun 2026 01:45:00 +0000

Type	Values Removed	Values Added
Description		An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker within radio range to disclose a small amount of kernel heap memory or cause a Denial of Service (kernel oops/panic) via a crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element. The function morse_vendor_find_vendor_ie() does not validate the IE length against the expected structure size before its result is passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), which read at fixed offsets into the IE data. Because the length check only requires the IE to be longer than 3 bytes, an attacker can supply an undersized IE, causing a heap out-of-bounds read of up to 9 bytes. No authentication, association, or user interaction is required.
Title		Out-of-bounds read in morse.ko Vendor IE processing
First Time appeared		Morsemicro Morsemicro halow Link 2
CPEs		cpe:2.3:o:morsemicro:halow_link_2::::::::
Vendors & Products		Morsemicro Morsemicro halow Link 2
References		https://www.morsemicro.com/security-advisories/MM-SA-2026-003

Subscriptions

Morsemicro Halow Link 2

MITRE

Status: PUBLISHED

Assigner: Bugcrowd

Published: 2026-06-04T00:17:45.373Z

Updated: 2026-06-04T00:17:45.373Z

Reserved: 2026-05-04T05:03:13.154Z

Link: CVE-2026-7764

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-04T02:16:17.700

Modified: 2026-06-04T02:16:17.700

Link: CVE-2026-7764

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-04T02:30:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object