--:--:--UTC

Searching APEX

Starting…

  1. Searching Threats, IOCs & Threat Intelligence locally
  2. Querying external providers
  3. Asking AI Forensic Validator
  4. Creating new entry from validated hit

0s elapsed

CVE-2026-7763

📛 CVE Title

Heap buffer overflow in morse.ko TIM IE processing

⬇ Download JSON

Description

A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required.

Overview

State
PUBLISHED
Assigner (CNA)
Bugcrowd
CVSS severity
CVSS score
CVSS vector
Effective score
no score available from CNA, NVD, or AI yet
CWE(s)
CWE-122 Heap-based Buffer Overflow
Reserved
2026-05-04
Published
2026-06-05 01:39 UTC
Last updated
2026-06-05 01:39 UTC
Source
https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/7xxx/CVE-2026-7763.json

AI-forensic CVSS estimate

Used only when a CVE has no official CVSS from its CNA or NVD. An LLM estimates the v3.1 base score from the description; a HIGH/CRITICAL estimate promotes the CVE to a Threat.

No AI estimate yet — it runs automatically once NVD has been checked, or click the button above.

Affected products (1)
VendorProductVersionsPlatforms
Morse Micro HaLowLink 2 0 (affected)

Remediations (0)

No remediations stored yet — an automatic web search has been queued to a collection agent. Please wait while we search for remediations… this page reloads automatically when results arrive.

Vendor references (1)

References embedded in the original CVE record by the assigning CNA.

Web references (0)

DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.

No web references attached yet.

AI Forensic Analysis

Only Available for Registered Users. Sign in to view.

Raw JSON

The full cvelistV5 record. Download as CVE-2026-7763.json.

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "HaLowLink 2",
          "vendor": "Morse Micro",
          "versions": [
            {
              "lessThan": "2.11.13",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:morsemicro:halow_link_2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.11.13",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T01:39:33.488Z",
        "orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
        "shortName": "Bugcrowd"
      },
      "references": [
        {
          "url": "https://www.morsemicro.com/security-advisories/MM-SA-2026-001"
        }
      ],
      "title": "Heap buffer overflow in morse.ko TIM IE processing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
    "assignerShortName": "Bugcrowd",
    "cveId": "CVE-2026-7763",
    "datePublished": "2026-06-05T01:39:33.488Z",
    "dateReserved": "2026-05-04T05:03:00.671Z",
    "dateUpdated": "2026-06-05T01:39:33.488Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}