CVE-2026-7764 Overview
CVE-2026-7764 is an out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver shipped with Morse Micro HaLowLink 2 software. The flaw affects versions prior to 2.11.12. An unauthenticated attacker within radio range can trigger the condition by transmitting a crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element (IE). Successful exploitation discloses a small amount of kernel heap memory or triggers a kernel oops or panic, resulting in denial of service. No authentication, association, or user interaction is required.
Critical Impact
A radio-range attacker can read up to 9 bytes of kernel heap memory or crash the kernel by sending a single malformed 802.11ah frame.
Affected Products
- Morse Micro HaLowLink 2 software versions prior to 2.11.12
- morse.ko HaLow Wi-Fi kernel driver
- Devices integrating the affected Morse Micro 802.11ah stack
Discovery Timeline
- 2026-06-04 - CVE-2026-7764 published to NVD
- 2026-06-04 - Last updated in NVD database
Technical Details for CVE-2026-7764
Vulnerability Analysis
The vulnerability resides in the Vendor Information Element parsing logic of the morse.ko kernel driver. The function morse_vendor_find_vendor_ie() locates Vendor IEs in incoming 802.11ah management frames and forwards a pointer to the IE data to downstream consumers. Two of those consumers, morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), read fields at fixed offsets within the IE without performing their own bounds checks.
Because the parser accepts the IE as valid when it is longer than 3 bytes, an attacker can craft an undersized Vendor IE that satisfies the minimum length check but is shorter than the structure the downstream functions expect. The resulting fixed-offset reads access memory beyond the IE buffer, producing a heap out-of-bounds read of up to 9 bytes.
Root Cause
The root cause is missing length validation against the expected Vendor IE structure size. The existing check confirms only that the IE exceeds 3 bytes, which is insufficient for the structure layouts consumed downstream. This is a classic out-of-bounds read pattern where one component validates presence while another assumes full structure size.
Attack Vector
Exploitation occurs over the air. An attacker within 802.11ah radio range transmits a beacon or probe response frame containing a malformed Vendor IE. The vulnerable driver parses incoming management frames before association, so the target requires no prior trust relationship with the attacker. Repeated transmission can be used to leak heap contents incrementally or to keep the device in a crash loop. Technical details are available in the Morse Micro Security Advisory.
No verified proof-of-concept code is publicly available. The vulnerability mechanism is described in the vendor advisory rather than reproduced here.
Detection Methods for CVE-2026-7764
Indicators of Compromise
- Kernel oops or panic entries in dmesg referencing morse_vendor_find_vendor_ie, morse_vendor_rx_caps_ops_ie, or morse_vendor_fill_sta_vendor_info
- Unexpected reboots or watchdog-triggered restarts on HaLowLink 2 devices
- 802.11ah beacon or probe response frames containing Vendor IEs shorter than the expected structure size
Detection Strategies
- Capture 802.11ah management frames using a HaLow-capable monitor interface and flag Vendor IEs whose declared length is between 4 and the expected structure minimum.
- Correlate kernel crash telemetry from HaLowLink 2 devices with nearby RF activity to identify targeted attacks.
- Compare driver and firmware versions across the fleet to confirm all devices run 2.11.12 or later.
Monitoring Recommendations
- Forward kernel log output from HaLowLink 2 devices to a central logging system and alert on morse module stack traces.
- Monitor device availability with active health checks to identify denial-of-service patterns indicative of repeated frame injection.
- Track wireless management frame anomalies through any available wireless intrusion detection capability covering the 802.11ah band.
How to Mitigate CVE-2026-7764
Immediate Actions Required
- Upgrade Morse Micro HaLowLink 2 software to version 2.11.12 or later on every affected device.
- Inventory deployed HaLow devices and verify the running driver and firmware versions match the patched release.
- Restrict physical proximity and shielding where feasible to limit radio-range exposure until patching is complete.
Patch Information
Morse Micro has released HaLowLink 2 software version 2.11.12, which corrects the length validation in morse_vendor_find_vendor_ie() before its result is consumed by morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(). Refer to the Morse Micro Security Advisory for release artifacts and upgrade instructions.
Workarounds
- No vendor-supplied workaround replaces patching. Apply the fixed software release.
- Where patching is delayed, reduce attack surface by disabling 802.11ah interfaces on devices that do not require HaLow connectivity.
- Operate affected devices only in RF-controlled environments until the upgrade is complete.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
