CVE-2026-7762
Received Received - Intake
BaseFortify

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: Bugcrowd Inc.

Description
A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-05
AI Q&A
2026-06-05
EPSS Evaluated
N/A
NVD
CVE-2026-7762
EUVD
EUVD-2026-34780
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
morse_micro halowlink_2 to 2.11.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-7762 is a heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver used in Morse Micro HaLowLink 2 software versions prior to 2.11.13.

An unauthenticated attacker within radio range can exploit this flaw by sending a specially crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element. This causes the function morse_dot11ah_find_s1g_caps_for_bssid() to copy more data than the allocated buffer size, leading to an overflow of up to 240 bytes into adjacent kernel heap memory.

The vulnerability can be triggered during normal scanning without any authentication, association, or user interaction.


How can this vulnerability impact me? :

This vulnerability can allow an attacker within radio range to cause a Denial of Service (DoS) by triggering a kernel panic, which crashes the system.

More critically, it may allow the attacker to achieve Remote Code Execution (RCE) on the affected device, potentially gaining control over the system.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is triggered by a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). Detection involves monitoring for such malformed 802.11ah frames within radio range.

Specific commands to detect this vulnerability are not provided in the available resources.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade the HaLowLink 2 software to version 2.11.13 or later, where the issue has been resolved.

If you are using the dot11ah.ko driver in your own Linux integrations, ensure you update to version 2.11.13 or later to prevent exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart