CVE-2026-7762
Awaiting Analysis Awaiting Analysis - Queue
Heap Overflow in HaLowLink 2 Wi-Fi Driver

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: Bugcrowd Inc.

Description
A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-7762
EUVD
EUVD-2026-34780
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
morse_micro halowlink_2 to 2.11.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7762 is a heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver used in Morse Micro HaLowLink 2 software versions prior to 2.11.13.

An unauthenticated attacker within radio range can exploit this flaw by sending a specially crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element. This causes the function morse_dot11ah_find_s1g_caps_for_bssid() to copy more data than the allocated buffer size, leading to an overflow of up to 240 bytes into adjacent kernel heap memory.

The vulnerability can be triggered during normal scanning without any authentication, association, or user interaction.

Impact Analysis

This vulnerability can allow an attacker within radio range to cause a Denial of Service (DoS) by triggering a kernel panic, which crashes the system.

More critically, it may allow the attacker to achieve Remote Code Execution (RCE) on the affected device, potentially gaining control over the system.

Detection Guidance

This vulnerability is triggered by a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). Detection involves monitoring for such malformed 802.11ah frames within radio range.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, upgrade the HaLowLink 2 software to version 2.11.13 or later, where the issue has been resolved.

If you are using the dot11ah.ko driver in your own Linux integrations, ensure you update to version 2.11.13 or later to prevent exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart