CVE-2026-7762

Vulnerability

A heap-based buffer overflow vulnerability exists in the dot11ah.ko HaLow Wi-Fi kernel driver within Morse Micro HaLowLink 2 software versions prior to 2.11.13. The function morse_dot11ah_find_s1g_caps_for_bssid() processes the S1G Capabilities Information Element (IE element ID 0xD9) without validating the IE length field against a 15-byte destination buffer. This allows an attacker to supply up to 255 bytes, leading to an overflow of up to 240 bytes into adjacent kernel heap memory [1].

Exploitation

An unauthenticated attacker within radio range can trigger this vulnerability by sending a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9) with an oversized length field. The vulnerability is triggerable during normal scanning operations without requiring authentication, association, or user interaction [1].

Impact

Successful exploitation of this vulnerability can lead to a Denial of Service (kernel panic) due to the buffer overflow. Additionally, there is a potential for Remote Code Execution (RCE) as the overflow writes attacker-controlled data into adjacent kernel heap memory, which could be leveraged to gain control of the system [1].

Mitigation

Morse Micro has released version 2.11.13 as of June 4, 2026, which addresses this vulnerability. Users are advised to update to version 2.11.13 or later. No workarounds are specified in the available references [1].