CVE-2026-7763 (GCVE-0-2026-7763)
Vulnerability from cvelistv5 – Published: 2026-06-05 01:39 – Updated: 2026-06-05 01:39
VLAI
Title
Heap buffer overflow in morse.ko TIM IE processing
Summary
A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Morse Micro | HaLowLink 2 |
Affected:
0 , < 2.11.13
(semver)
|
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HaLowLink 2",
"vendor": "Morse Micro",
"versions": [
{
"lessThan": "2.11.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:morsemicro:halow_link_2:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.11.13",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T01:39:33.488Z",
"orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"shortName": "Bugcrowd"
},
"references": [
{
"url": "https://www.morsemicro.com/security-advisories/MM-SA-2026-001"
}
],
"title": "Heap buffer overflow in morse.ko TIM IE processing"
}
},
"cveMetadata": {
"assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"assignerShortName": "Bugcrowd",
"cveId": "CVE-2026-7763",
"datePublished": "2026-06-05T01:39:33.488Z",
"dateReserved": "2026-05-04T05:03:00.671Z",
"dateUpdated": "2026-06-05T01:39:33.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-7763\",\"sourceIdentifier\":\"4ac701fe-44e9-4bcd-9585-dd6449257611\",\"published\":\"2026-06-05T02:17:14.640\",\"lastModified\":\"2026-06-05T02:17:14.640\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://www.morsemicro.com/security-advisories/MM-SA-2026-001\",\"source\":\"4ac701fe-44e9-4bcd-9585-dd6449257611\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…