How is CVE-2026-7762 exploited?

Network reachability (required): The attacker must be within 802.11ah radio range of the target device, as the malicious frame is delivered over the wireless medium without any prior network association. Authentication (not-required): No credentials, association, or prior relationship with the target is needed; the vulnerability is triggered during passive scanning before any authentication handshake. Victim interaction (not-required): The target device requires no user action; normal background Wi-Fi scanning is sufficient to deliver the malicious frame to the vulnerable parsing code. Attack complexity (info): Exploitation is reliable and condition-free once the attacker is within radio range, with no race conditions or memory-layout dependencies required to trigger the overflow.

What is the impact of CVE-2026-7762?

An attacker can write up to 240 bytes of attacker-controlled data past the 15-byte destination buffer into adjacent kernel heap memory, enabling reliable kernel panic and denial of service. With a suitable heap-layout primitive, the overflow allows an attacker to overwrite adjacent kernel objects and redirect execution flow, achieving remote code execution in kernel context. Kernel-level code execution grants full read access to all memory on the host, including credentials, session tokens, cryptographic keys, and any data held in kernel or user space. At the same kernel privilege level, an attacker can modify or destroy persisted data, load arbitrary kernel modules, and take complete control of the affected device.

Back to search

CRITICALCVE-2026-7762Published 2026-06-05Modified 2026-06-05CNA Bugcrowd

CVE-2026-7762: Heap buffer overflow in dot11ah.ko S1G Capabilities IE processing

A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 2.11.13
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap-based buffer overflow exists in the dot11ah.ko HaLow Wi-Fi kernel driver shipped with Morse Micro HaLowLink 2 software versions prior to 2.11.13. An unauthenticated attacker within radio range can trigger the flaw by broadcasting a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities IE, requiring no authentication, association, or user interaction. Successful exploitation crashes the kernel or achieves remote code execution on the affected host. A patched-image rebuild at version 2.11.13 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-7762 is ingested from upstream vulnerability feeds within minutes of publication and matched against customer images, including custom-built images that bundle the Morse Micro HaLowLink 2 driver, across all connected registries and CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.8 (Critical) and weighting findings against each environment's compliance policy to surface the alert in the appropriate team inbox within the customer organization.

Available

Patch

A patched-image rebuild targeting HaLowLink 2 version 2.11.13 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be within 802.11ah radio range of the target device, as the malicious frame is delivered over the wireless medium without any prior network association.
AuthenticationNot required
No credentials, association, or prior relationship with the target is needed; the vulnerability is triggered during passive scanning before any authentication handshake.
Victim interactionNot required
The target device requires no user action; normal background Wi-Fi scanning is sufficient to deliver the malicious frame to the vulnerable parsing code.
Attack complexityDetail
Exploitation is reliable and condition-free once the attacker is within radio range, with no race conditions or memory-layout dependencies required to trigger the overflow.

Blast Radius

An attacker can write up to 240 bytes of attacker-controlled data past the 15-byte destination buffer into adjacent kernel heap memory, enabling reliable kernel panic and denial of service.
With a suitable heap-layout primitive, the overflow allows an attacker to overwrite adjacent kernel objects and redirect execution flow, achieving remote code execution in kernel context.
Kernel-level code execution grants full read access to all memory on the host, including credentials, session tokens, cryptographic keys, and any data held in kernel or user space.
At the same kernel privilege level, an attacker can modify or destroy persisted data, load arbitrary kernel modules, and take complete control of the affected device.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-7762 is active against all images in connected registries and pipelines, with results scored at Critical (9.8) and routed according to each environment's compliance policy. Where compliance policy permits auto-remediation, HarborGuard rebuilds affected images at HaLowLink 2 version 2.11.13, runs a regression test suite against the rebuilt image, and opens a pull request targeting affected workloads. For high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the patched rebuild at 2.11.13 is still made available for manual promotion. Given the network-adjacent, zero-interaction, zero-authentication nature of this flaw, organizations should also consider applying network-policy controls to isolate affected hosts from untrusted radio environments as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

2.11.13

Affected packages

Morse Micro / HaLowLink 2
< 2.11.13 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

morsemicro.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available