CVE-2026-7762 · A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to

01 · The Real Story

This is a landmine in a long-range radio bridge, not a wormhole on the public internet

CVE-2026-7762 is described as a heap-based buffer overflow in dot11ah.ko, the HaLow Wi-Fi kernel driver used by Morse Micro HaLowLink 2 software, with disclosure on 2026-06-05. The user-supplied version range is incomplete (versions prior to ...), so the only safe statement is that HaLowLink 2 builds before an unspecified fixed release are affected; publicly observed HaLowLink 2 deployments were running 2.11.8 in February 2026, and Morse later published an OpenWrt SDK update to 2.11.12 in May 2026.

There is no official CVSS or vendor severity to inherit here, so this has to be judged from first principles. The reality is: kernel-space memory corruption in a wireless frame parser is dangerous, but the attack path is adjacent 802.11ah RF, not internet-wide reachability, and it likely requires specialized HaLow-capable tooling rather than commodity Wi-Fi gear; that combination lands this at = ASSESSED AT HIGH, not CRITICAL.

"Kernel corruption over long-range 802.11ah is serious, but niche adjacent-RF reach keeps it out of CRITICAL"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get into HaLow radio range

The attacker first needs a transmitter that can speak 802.11ah / Wi-Fi HaLow and must get within the target's RF footprint. In practice that likely means a custom SDR workflow or a modified Morse Micro Linux/OpenWrt stack using the vendor's public driver and hostap ecosystem as a starting point, because 802.11ah tooling is still niche.

Conditions required:

Physical proximity or line-of-sight into the target's HaLow coverage area
Hardware/software capable of transmitting crafted 802.11ah frames in the correct regional band
The target's HaLow interface is enabled

Where this breaks in practice:

This is not internet-reachable by default
802.11ah-capable offensive tooling is uncommon compared with normal Wi-Fi tooling
Regional frequency restrictions and device-specific radio support narrow the attacker pool

Detection/coverage: Traditional vuln scanners will miss this. Detection is mostly environmental: RF monitoring, physical-site awareness, and inventorying which gateways actually have HaLow enabled.

STEP 02

Feed crafted frames into the vulnerable parser

Once in range, the attacker has to deliver a frame sequence that reaches the vulnerable code path in dot11ah.ko. Because this sits in the kernel driver path, exploitation may occur before authentication depending on the exact parser location, but the public description does not expose enough detail to prove the exact frame type.

Conditions required:

A vulnerable HaLowLink 2 software build
A frame type/state combination that is accepted by the target radio stack
The attacker understands enough of the proprietary/802.11ah-specific parsing path to hit the bug

Where this breaks in practice:

No public exploit or crash recipe was found
Wireless parser bugs often need precise state timing and frame formatting
Some deployments may only expose the vulnerable path in AP, mesh, or bridge scenarios

Detection/coverage: Commodity IDS/WIDS coverage for 802.11ah is weak. Useful evidence would be unusual association attempts, malformed-frame counters if exposed, and bursts of morse/dot11ah errors in logread or dmesg.

STEP 03

Trigger kernel heap corruption

If the malicious frame lands correctly, the target driver overflows heap memory in kernel context. The likely first observable outcome is driver crash, kernel oops, radio reset, or watchdog reboot; reliable RCE is plausible because it is a heap overflow in kernel space, but not guaranteed from the public facts alone.

Conditions required:

The malformed input reaches the vulnerable allocation/copy path
Memory layout is favorable enough for corruption to be meaningful

Where this breaks in practice:

Many wireless memory-corruption bugs are easier to weaponize for DoS than stable code execution
Build differences, compiler options, and watchdog behavior can reduce exploit reliability

Detection/coverage: Look for kernel panic, Oops, unexplained reboots, dot11ah faults, or repeated radio module unload/reload behavior.

STEP 04

Turn a radio bug into gateway compromise

If the attacker crosses from corruption into control, they own an OpenWrt-based edge gateway that bridges long-range IoT traffic back into the local network. That can mean interception of attached device traffic, tampering with bridge behavior, persistence on the gateway, or using the box as a foothold into adjacent management networks.

Conditions required:

Exploit reliability beyond a simple crash
Post-exploitation access to the router filesystem or management plane

Where this breaks in practice:

Blast radius is usually limited to the gateway and the segment it bridges, not the whole enterprise
Many HaLowLink 2 deployments are purpose-built edge nodes rather than core identity/control systems

Detection/coverage: Watch for configuration drift, unknown SSH keys, changed startup scripts, unusual bridge/NAT settings, and management-plane access from unexpected IPs.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found. The CVE is not in CISA KEV, and no campaign reporting or exploitation reporting surfaced in public web results reviewed for this assessment.
Proof-of-concept availability	No public PoC located. Searches for the CVE on web/GitHub-facing indexes did not surface exploit code, crash reproducer repos, or writeups tied to this identifier.
EPSS	No EPSS record found for this CVE at assessment time. FIRST states EPSS is generated automatically for published CVEs, but no public score surfaced for `CVE-2026-7762`.
KEV status	Not KEV-listed. Public CISA KEV catalog review showed no listing for `CVE-2026-7762`.
Attack surface / vector reality	Adjacent RF, likely unauthenticated. The flaw is in the `dot11ah.ko` Wi-Fi HaLow kernel driver, so the realistic exposure is radio proximity over 802.11ah, not a commodity internet service port. Inference: the closest CVSS shape would likely start with `AV:A` rather than `AV:N`.
Affected versions	User-provided intel says HaLowLink 2 software versions prior to an unspecified fixed release. Public community posts show HaLowLink 2 version 2.11.8 in the field during February 2026.
Fixed versions	Exact fixed version not publicly stated in the sources reviewed. Public Morse Micro community posts show an OpenWrt SDK update to 2.11.12 by 2026-05-22, but that cannot be asserted as the CVE fix without an advisory explicitly saying so.
Scanning / exposure data	No meaningful public internet exposure data found from public web results for Shodan/Censys/GreyNoise/FOFA. That is expected: the vulnerable path is an 802.11ah radio parser, which is generally not banner-enumerable over the public internet.
Disclosure date	2026-06-05 per the user-supplied disclosure intel.
Reporter / discoverer	Not publicly attributed in the sources reviewed.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to HIGH (7.6/10)

The decisive factor is attacker position: this is a niche adjacent-RF exploit path against 802.11ah, not a broadly exposed internet service. It stays in HIGH because the bug sits in kernel-space wireless parsing, so a successful hit can crash or potentially fully compromise the gateway without needing prior foothold on the box.

HIGH Assessment that exposure is **adjacent 802.11ah RF** rather than internet-wide

MEDIUM Assessment that successful impact can extend to **kernel-level compromise**, not just DoS

LOW Exact affected/fixed version cutoff because the public version range is incomplete

Why this verdict

Started at High because this is kernel-memory corruption in a wireless parser; if exploitation is reliable, the attacker is not just crashing a process, they are corrupting memory in the gateway's kernel driver path.
Downward pressure: attacker must be in 802.11ah radio range; that implies *adjacent physical/RF access*, not unauthenticated remote internet access, which sharply narrows real-world reachability.
Downward pressure: the exposed population is niche and tooling is specialized; HaLowLink 2 is a young, uncommon IoT gateway platform and 802.11ah offensive tooling is far less common than normal Wi-Fi attack tooling.
Upward pressure: HaLow's long range weakens the usual 'adjacent only' comfort blanket; these devices are marketed for large outdoor/industrial footprints, so 'adjacent' can still mean hundreds of meters to roughly a kilometer in favorable conditions.
Downward pressure: no KEV, no public exploit, no public campaign evidence; absent exploitation telemetry, this is not a drop-everything emergency today.

Why not higher?

This is not CRITICAL because the exploit path is not broadly internet reachable, the affected product family is not mainstream enterprise edge infrastructure, and there is no current public exploitation evidence. The need for 802.11ah-capable gear plus RF proximity compounds the friction enough to keep it below the top bucket.

Why not lower?

This is not MEDIUM because the bug is heap corruption in a kernel driver, not a harmless input-validation error in a userland helper. If an attacker can hit the parser, the likely outcomes are at least reliable DoS and plausibly full gateway compromise, which is too much impact to backlog casually.

05 · Compensating Control

What to do — in priority order.

Map every HaLowLink 2 deployment — Build an owner-and-location inventory of every HaLowLink 2 and note whether 802.11ah is actually enabled. For a HIGH verdict, do this and tag exposed units within 30 days so you know which gateways sit near public roads, shared buildings, field edges, or contractor-access areas.
Reduce unnecessary HaLow exposure — Disable the HaLow radio on units not actively using 802.11ah, and remove unused mesh/AP modes where operationally possible. This is the cleanest temporary risk reduction for a parser bug in the radio path, and for HIGH severity it should be applied within 30 days.
Harden the gateway as an untrusted edge node — Put HaLowLink 2 management access behind a dedicated management VLAN, restrict SSH/Web UI to admin jump hosts, and block east-west reach from the gateway into sensitive networks. Do this within 30 days because if the radio parser falls over into compromise, segmentation is what keeps it from becoming a broader incident.
Pull the devices back from public RF edges — Where practical, move antennas/gateways away from publicly accessible perimeters, reduce RF overspill, and avoid installing them where an attacker can sit comfortably in the coverage zone. This matters because 802.11ah is long-range; for HIGH, prioritize exposed outdoor or campus-edge units within 30 days.
Collect crash telemetry now — Forward logread, dmesg, reboot events, and config-change telemetry from each gateway to central logging. Do this within 30 days so you can tell the difference between random radio flakiness and repeated exploitation attempts against dot11ah.ko.

What doesn't work

WAF and internet-facing NGFW policy do not help against malformed 802.11ah frames arriving over RF before the traffic ever becomes an IP session.
MFA on the web interface is good hygiene but irrelevant to a likely pre-auth radio parser issue.
Standard authenticated vulnerability scanners run from an auditor workstation will usually miss this because they cannot exercise the 802.11ah kernel receive path.

06 · Verification

Crowdsourced verification payload.

Run this on the HaLowLink 2 target host itself over SSH as root or with equivalent privileges, because it reads local release files, board metadata, and kernel modules. Save it as check-cve-2026-7762.sh, then run sh check-cve-2026-7762.sh; it outputs VULNERABLE, PATCHED, or UNKNOWN. Because the public fixed-version cutoff is incomplete, this is a best-effort detector that positively identifies only known pre-disclosure vulnerable trains and otherwise falls back conservatively.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/bin/sh
# check-cve-2026-7762.sh
# Best-effort local checker for Morse Micro HaLowLink 2 / dot11ah.ko exposure
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -eu

MODEL=""
VERSION=""
DOT11AH_PRESENT="no"

# Try to identify device model
if command -v ubus >/dev/null 2>&1; then
  MODEL=$(ubus call system board 2>/dev/null | sed -n 's/.*"model": *"\([^"]*\)".*/\1/p' | head -n1 || true)
fi
if [ -z "$MODEL" ] && [ -r /tmp/sysinfo/model ]; then
  MODEL=$(cat /tmp/sysinfo/model 2>/dev/null || true)
fi

# Try to identify Morse/OpenWrt version
if [ -r /etc/openwrt_release ]; then
  VERSION=$(sed -n "s/^DISTRIB_RELEASE='\([^']*\)'/\1/p" /etc/openwrt_release | head -n1 || true)
fi
if [ -z "$VERSION" ] && [ -r /etc/os-release ]; then
  VERSION=$(sed -n 's/^VERSION=//p' /etc/os-release | tr -d '"' | head -n1 || true)
fi

# Check for loaded or installed dot11ah module
if lsmod 2>/dev/null | grep -q '^dot11ah '; then
  DOT11AH_PRESENT="yes"
elif find /lib/modules -type f -name 'dot11ah.ko*' 2>/dev/null | grep -q .; then
  DOT11AH_PRESENT="yes"
fi

is_halowlink2="no"
case "$MODEL" in
  *HaLowLink*2*|*halowlink*2*|*HL2*) is_halowlink2="yes" ;;
esac

# If we cannot even confirm the platform/radio stack, do not guess.
if [ "$is_halowlink2" != "yes" ] && [ "$DOT11AH_PRESENT" != "yes" ]; then
  echo "UNKNOWN - not confidently identified as HaLowLink 2 with dot11ah.ko present"
  exit 2
fi

# Version compare helper: returns 0 if $1 <= $2
verlte() {
  [ "$1" = "$2" ] && return 0
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

# IMPORTANT:
# Public reporting for this CVE did not include a complete fixed-version cutoff.
# Publicly observed HaLowLink 2 field builds include 2.11.8 before disclosure,
# and 2.11.12 existed publicly before disclosure, but was NOT explicitly tied to this CVE.
# Therefore we only mark clearly old builds as VULNERABLE and avoid false PATCHED claims.

if [ -n "$VERSION" ]; then
  if verlte "$VERSION" "2.11.8"; then
    echo "VULNERABLE - HaLowLink 2 / dot11ah.ko present and software version ($VERSION) is at or below known pre-disclosure build 2.11.8"
    exit 1
  fi
fi

# If dot11ah is present but the version is newer or unknown, we cannot assert patched state.
echo "UNKNOWN - target appears relevant, but public sources do not provide an authoritative fixed-version cutoff for CVE-2026-7762"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: treat every HaLowLink 2 as a small, RF-exposed edge gateway and inventory it first, then apply the temporary controls above to any unit with active 802.11ah exposure near public or semi-public space. For this HIGH assessment, the noisgate mitigation SLA is within 30 days for segmentation, radio minimization, and telemetry collection, and the noisgate remediation SLA is within 180 days for the actual vendor-fixed software once the authoritative patched version is confirmed; if Morse publishes a security bulletin tying this CVE to a specific firmware train, update your detection logic immediately and accelerate the exposed outdoor sites first.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.