CVE-2026-7764

Vulnerability

An out-of-bounds read vulnerability exists in the morse.ko HaLow Wi-Fi kernel driver within Morse Micro HaLowLink 2 software versions prior to 2.11.12. The function morse_vendor_find_vendor_ie() fails to validate the length of a Vendor Information Element (IE) before passing it to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(). This allows an attacker to craft an undersized IE, leading to an out-of-bounds read of up to 9 bytes from the kernel heap [1].

Exploitation

An unauthenticated attacker within radio range can exploit this vulnerability by sending a specially crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element. The vulnerability does not require any form of authentication, association, or user interaction to be triggered [1].

Impact

Successful exploitation allows an attacker to disclose a small amount of kernel heap memory, potentially revealing sensitive information. Alternatively, the vulnerability can lead to a Denial of Service (DoS) condition, causing a kernel oops or panic, thereby disrupting the affected device's operation [1].

Mitigation

Morse Micro HaLowLink 2 software version 2.11.12 and later contain a fix for this vulnerability. No workarounds are disclosed in the available references. The advisory does not mention if the affected software is end-of-life or if it has been added to the Known Exploited Vulnerabilities (KEV) catalog [1].