CVE-2026-7764: HaLow Wi-Fi Kernel Driver Out-of-Bounds Read & DoS
A flaw in Morse Micro's HaLow Wi-Fi kernel driver allows an attacker within radio range to crash devices or leak small amounts of sensitive memory by sending a specially crafted wireless frame. The vulnerability exists because the driver doesn't properly validate the size of data embedded in beacon or probe response frames before reading from it. No password, pairing, or user action is needed—an attacker simply has to be nearby with the right equipment.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.8 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-30
NVD description (verbatim)
An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker within radio range to disclose a small amount of kernel heap memory or cause a Denial of Service (kernel oops/panic) via a crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element. The function morse_vendor_find_vendor_ie() does not validate the IE length against the expected structure size before its result is passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), which read at fixed offsets into the IE data. Because the length check only requires the IE to be longer than 3 bytes, an attacker can supply an undersized IE, causing a heap out-of-bounds read of up to 9 bytes. No authentication, association, or user interaction is required.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7764 is an out-of-bounds read in morse.ko, the HaLow (802.11ah) Wi-Fi kernel driver used in Morse Micro HaLowLink 2 devices. The function morse_vendor_find_vendor_ie() retrieves a Vendor Information Element (IE) from a received frame but performs only a minimal length check (IE > 3 bytes). When this IE is passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), these functions read at fixed offsets without confirming the IE is large enough. An attacker crafting a beacon or probe response with an undersized IE can trigger a read up to 9 bytes beyond the allocated buffer on the kernel heap. This results in either information disclosure or a kernel panic (oops).
Business impact
Organizations deploying Morse Micro HaLowLink 2 devices in IoT or industrial settings face two immediate risks. First, attackers can remotely crash devices, disrupting critical applications without authentication. Second, heap memory leaks could expose sensitive kernel data or configuration information. The low barrier to entry (proximity and radio transmission) combined with the lack of authentication requirements means any device within range is potentially vulnerable. For deployments in security-sensitive environments, this poses operational continuity and confidentiality risks.
Affected systems
Morse Micro HaLowLink 2 devices running firmware versions prior to 2.11.12 are vulnerable. The affected components are the halowlink_2 hardware platform and its associated halowlink_2_firmware. HaLow (802.11ah) is a long-range, low-power Wi-Fi standard commonly used in smart grid, agricultural IoT, and industrial control applications. Organizations should inventory any HaLow devices in their infrastructure and verify firmware version.
Exploitability
Exploitability is straightforward. An attacker requires only radio proximity (within HaLow range, typically several kilometers) and the ability to craft and transmit malformed 802.11ah frames—feasible with commodity software-defined radio tools. No authentication, association, or user interaction is required. The kernel driver processes incoming frames unconditionally, making every HaLowLink 2 device a potential target. The relatively high barrier is geographic proximity rather than technical complexity. Public exploit code is not yet observed, but the vulnerability details are clear enough that development would be low-effort for a motivated threat actor.
Remediation
Upgrade HaLowLink 2 firmware to version 2.11.12 or later. This patch implements proper length validation in morse_vendor_find_vendor_ie() to ensure that incoming Vendor Information Elements meet the expected structure size before data is read from them. Verify the patch version against Morse Micro's official advisory and release notes. Organizations without immediate patching capability should consider temporarily isolating affected devices or restricting radio access to trusted networks.
Patch guidance
Update HaLowLink 2 devices to firmware version 2.11.12 or later. Consult Morse Micro's official firmware distribution channel or your device manufacturer's support portal for release packages and upgrade procedures. Firmware updates typically require device reboot; coordinate with operational teams to minimize downtime. After patching, validate that devices have successfully upgraded by checking firmware version through the device management interface. Establish a change control process to prevent accidental downgrade to vulnerable versions.
Detection guidance
Network detection is limited because the attack involves crafted wireless frames at the physical layer. Endpoint-focused monitoring should track kernel panic messages or unexpected device reboots correlated with unusual Wi-Fi activity. If available, enable driver-level or wireless diagnostics logging to identify malformed IE reception. Host-based memory sanitizers or kernel address space layout randomization (KASLR) mitigations may help contain the impact. Organizations without direct visibility into device internals should rely on firmware patching and network access controls (e.g., Wi-Fi SSID filtering or geofencing).
Why prioritize this
Although CVSS 6.8 (Medium) reflects limited scope and local vector constraints, the real-world risk is elevated for organizations with HaLow infrastructure. The lack of authentication combined with remote exploitability via radio transmission means attackers can cause denial of service with minimal barriers. Heap memory disclosure, while limited to ~9 bytes, could expose kernel pointers or configuration secrets. For critical infrastructure or industrial IoT deployments, a single compromised device can trigger cascading failures. Prioritize patching if HaLowLink 2 devices operate in production environments; deprioritize if devices are isolated or infrequently deployed.
Risk score, explained
The CVSS 3.1 score of 6.8 reflects a Medium severity because the attack vector is local (proximity-based radio), scope is unchanged, and impact is partial (confidentiality and availability, not integrity). However, this score may underweight the operational risk for mission-critical IoT and industrial applications. The lack of authentication and the feasibility of remote radio exploitation elevate practical risk beyond the numeric score. Consider raising internal risk ratings for devices in high-availability or safety-critical deployments.
Frequently asked questions
What is HaLow Wi-Fi and why should I care about this vulnerability?
HaLow (802.11ah) is a long-range, low-power Wi-Fi standard designed for IoT and industrial applications like smart grids, agricultural sensors, and utility metering. Devices can communicate kilometers away at low power, making them ideal for remote deployments. This vulnerability affects the kernel driver that handles HaLow communications, so any HaLow device running vulnerable Morse Micro firmware is at risk of crashing or leaking memory without the attacker needing to authenticate or pair with the device.
Can this vulnerability be exploited over the internet or only locally?
Only locally, in the sense that the attacker must be within radio range (typically several kilometers for HaLow). This is not a network vulnerability in the traditional sense—there is no remote code execution, and the attacker cannot exploit the device through standard internet routes. However, because HaLow is designed for long-range communication and requires no authentication, any actor with radio equipment within range can attempt exploitation.
How much sensitive data can an attacker leak?
The out-of-bounds read allows an attacker to leak up to 9 bytes from kernel heap memory per malformed frame. While small, this data could include kernel pointers, which could be used in subsequent attacks to bypass address space randomization (KASLR). The real impact depends on what happens to reside in heap memory at the time of the read; there is no guarantee of extracting high-value secrets, but repeated attempts could accumulate information over time.
Is there a workaround if I cannot patch immediately?
Patching is strongly recommended as the primary remediation. If immediate patching is not possible, consider isolating vulnerable devices to a separate network segment with restricted radio access, or temporarily powering down non-critical devices. Ensure devices are not exposed to untrusted radio environments. However, these are temporary measures; patching to version 2.11.12 or later should be prioritized within your standard change window.
This analysis is based on published vulnerability data and Morse Micro's advisory. Patch versions, release dates, and specific firmware features are sourced from official vendor documentation; verify all technical details against the latest Morse Micro release notes and security advisories. SEC.co does not host exploit code or weaponized proof-of-concept information. The CVSS score provided reflects vendor assessment and may not account for organizational risk context; adjust internal risk ratings based on your deployment topology and criticality. This information is for defensive purposes only and should inform patch management and incident response planning. No guarantee is made regarding the completeness or timeliness of this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-70101MEDIUMlwext4 1.0.0 Out-of-Bounds Read Denial of Service
- CVE-2026-10305MEDIUMOut-of-Bounds Read in Samsung rlottie Animation Library
- CVE-2026-10979MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure Vulnerability
- CVE-2026-10985MEDIUMOut-of-Bounds Read in Google Chrome Skia – Data Leakage Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11005MEDIUMOut-of-Bounds Read in Chrome ANGLE on Windows