HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-7763Published Modified CNA Bugcrowd

CVE-2026-7763: Heap buffer overflow in morse.ko TIM IE processing

A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
2.11.13
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A heap-based buffer overflow exists in the morse.ko HaLow Wi-Fi kernel driver, part of Morse Micro HaLowLink 2 software versions before 2.11.13. An unauthenticated attacker within Wi-Fi radio range can send a crafted 802.11ah beacon frame containing a malformed TIM Information Element, triggering the overflow without any authentication or user interaction because beacon frames are processed passively. Successful exploitation causes a kernel panic (denial of service) or achieves remote code execution on the host. A patched-image rebuild at version 2.11.13 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-7763 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the morse.ko driver or the HaLowLink 2 package. Any image in a customer registry or CI/CD pipeline that carries an affected version is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting that score against each environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available
Patch

A patched-image rebuild pinned to HaLowLink 2 version 2.11.13 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be within 802.11ah (HaLow) radio range of a device running the vulnerable driver; no IP-layer connectivity is needed, but physical or near-physical proximity to the wireless medium is required.

  • AuthenticationNot required

    No authentication, association, or prior network relationship is needed; the vulnerable code path is triggered during passive beacon processing before any handshake occurs.

  • Victim interactionNot required

    The affected device processes broadcast beacon frames autonomously during passive scanning, so no user action is required to trigger the overflow.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and condition-free, requiring only that the attacker craft a beacon frame with a malformed TIM IE and broadcast it within radio range.

Blast Radius

  • Crashes the host kernel via panic, taking down all services and workloads running on the affected system.
  • Achieves arbitrary code execution in kernel space, giving the attacker full control over the host operating system and all data it processes.
  • Reads any data accessible to the kernel, including cryptographic keys, session tokens, and memory belonging to other processes.
  • Modifies or destroys kernel data structures, persisted files, or memory belonging to co-located container workloads on the same host.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-7763 is active for all images scanned through the platform, with ingestion from upstream feeds typically completing within minutes of advisory publication. For environments with auto-remediation enabled, HarborGuard can rebuild affected images at HaLowLink 2 version 2.11.13, execute a regression test run against the rebuilt image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image at 2.11.13 is staged and the finding is routed to the responsible team for review. Given the zero-interaction, over-the-air nature of this exploit, organizations that cannot immediately redeploy a patched image should consider network-policy controls that restrict which hosts are exposed to untrusted 802.11ah radio environments, such as isolating HaLow-capable nodes behind a dedicated VLAN or disabling passive scanning where operationally feasible, until a patched image is deployed.

See how HarborGuard automates this

Fix available

2.11.13
Affected packages
  • Morse Micro / HaLowLink 2
    < 2.11.13 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References