Description
An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker within radio range to disclose a small amount of kernel heap memory or cause a Denial of Service (kernel oops/panic) via a crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element. The function morse_vendor_find_vendor_ie() does not validate the IE length against the expected structure size before its result is passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), which read at fixed offsets into the IE data. Because the length check only requires the IE to be longer than 3 bytes, an attacker can supply an undersized IE, causing a heap out-of-bounds read of up to 9 bytes. No authentication, association, or user interaction is required.
Published: 2026-06-04
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in the kernel driver morse.ko used by Morse Micro HaLowLink 2. An attacker can craft a malformed Vendor Information Element in an 802.11ah beacon or probe response. The driver fails to validate the IE length before accessing fixed offsets inside the IE, allowing a small heap leak of up to nine bytes. The same flaw can trigger a kernel panic, resulting in a denial of service. No authentication, association, or user interaction is required – the attacker only needs to be within radio range.

Affected Systems

Morse Micro HaLowLink 2, all software releases prior to version 2.11.12. The affected component is the HaLow 802.11ah kernel driver within the HaLowLink 2 firmware stack.

Risk and Exploitability

The EPSS score is < 1% and this issue is not listed in CISA KEV, and the CVSS score is 6.8, reflecting moderate severity. The weakness enables local attackers in radio proximity to read sensitive kernel memory and disrupt system availability. The exploit involves sending a single crafted frame, so the barrier to exploitation is low for an attacker with wireless access to the target device.

Generated by OpenCVE AI on June 4, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HaLowLink 2 firmware to version 2.11.12 or later, which includes a validation check on the Vendor IE length.
  • If an upgrade cannot be performed immediately, block or filter 802.11ah beacon and probe response frames that contain Vendor Information Elements, or disable the faulty driver feature via device configuration if possible.
  • Continuously monitor the wireless interface for malformed 802.11ah frames and apply network‑level filtering to suppress suspicious traffic until a patch is applied.

Generated by OpenCVE AI on June 4, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Morse Micro
Morse Micro halowlink 2
Vendors & Products Morse Micro
Morse Micro halowlink 2

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-200

Thu, 04 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Description An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker within radio range to disclose a small amount of kernel heap memory or cause a Denial of Service (kernel oops/panic) via a crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element. The function morse_vendor_find_vendor_ie() does not validate the IE length against the expected structure size before its result is passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), which read at fixed offsets into the IE data. Because the length check only requires the IE to be longer than 3 bytes, an attacker can supply an undersized IE, causing a heap out-of-bounds read of up to 9 bytes. No authentication, association, or user interaction is required.
Title Out-of-bounds read in morse.ko Vendor IE processing
First Time appeared Morsemicro
Morsemicro halow Link 2
CPEs cpe:2.3:o:morsemicro:halow_link_2:*:*:*:*:*:*:*:*
Vendors & Products Morsemicro
Morsemicro halow Link 2
References

Subscriptions

Morse Micro Halowlink 2
Morsemicro Halow Link 2
cve-icon MITRE

Status: PUBLISHED

Assigner: Bugcrowd

Published:

Updated: 2026-06-04T13:01:15.389Z

Reserved: 2026-05-04T05:03:13.154Z

Link: CVE-2026-7764

cve-icon Vulnrichment

Updated: 2026-06-04T13:01:02.890Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T02:16:17.700

Modified: 2026-06-04T15:16:58.787

Link: CVE-2026-7764

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:09:24Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor