--:--:--UTC

Searching APEX

Starting…

  1. Searching Threats, IOCs & Threat Intelligence locally
  2. Querying external providers
  3. Asking AI Forensic Validator
  4. Creating new entry from validated hit

0s elapsed

CVE-2026-7762

📛 CVE Title

Heap buffer overflow in dot11ah.ko S1G Capabilities IE processing

⬇ Download JSON

Description

A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction.

Overview

State
PUBLISHED
Assigner (CNA)
Bugcrowd
CVSS severity
CVSS score
CVSS vector
Effective score
no score available from CNA, NVD, or AI yet
CWE(s)
CWE-122 Heap-based Buffer Overflow
Reserved
2026-05-04
Published
2026-06-05 01:36 UTC
Last updated
2026-06-05 01:36 UTC
Source
https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/7xxx/CVE-2026-7762.json

AI-forensic CVSS estimate

Used only when a CVE has no official CVSS from its CNA or NVD. An LLM estimates the v3.1 base score from the description; a HIGH/CRITICAL estimate promotes the CVE to a Threat.

No AI estimate yet — it runs automatically once NVD has been checked, or click the button above.

Affected products (1)
VendorProductVersionsPlatforms
Morse Micro HaLowLink 2 0 (affected)

Remediations (0)

No remediations stored yet — an automatic web search has been queued to a collection agent. Please wait while we search for remediations… this page reloads automatically when results arrive.

Vendor references (1)

References embedded in the original CVE record by the assigning CNA.

Web references (0)

DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.

No web references attached yet.

AI Forensic Analysis

Only Available for Registered Users. Sign in to view.

Raw JSON

The full cvelistV5 record. Download as CVE-2026-7762.json.

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "HaLowLink 2",
          "vendor": "Morse Micro",
          "versions": [
            {
              "lessThan": "2.11.13",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:morsemicro:halow_link_2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.11.13",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T01:36:20.993Z",
        "orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
        "shortName": "Bugcrowd"
      },
      "references": [
        {
          "url": "https://www.morsemicro.com/security-advisories/MM-SA-2026-002"
        }
      ],
      "title": "Heap buffer overflow in dot11ah.ko S1G Capabilities IE processing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
    "assignerShortName": "Bugcrowd",
    "cveId": "CVE-2026-7762",
    "datePublished": "2026-06-05T01:36:20.993Z",
    "dateReserved": "2026-05-04T05:02:07.918Z",
    "dateUpdated": "2026-06-05T01:36:20.993Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}