A heap-based buffer overflow vulnerability in the morse

CVE-2026-7763 is a heap-based buffer overflow in morse.ko, the Morse Micro HaLow Wi-Fi kernel driver used by HaLowLink 2. The public description says affected builds are HaLowLink 2 software versions prior to a vendor-fixed 2.x release, but the exact fixed build string was not recoverable from indexed public sources; what is clear is that the bug sits in a kernel-space wireless parsing path, so malformed over-the-air 802.11ah traffic can plausibly crash the device and, in the worst case, become kernel code execution.

With no vendor CVSS, the right baseline is not internet RCE hysteria; it is radio-adjacent pre-auth kernel attack surface on a niche embedded platform. That keeps this out of CRITICAL territory because the attacker must be within HaLow radio range and the exposed population is small, but it still lands at HIGH because memory corruption in a wireless kernel driver happens *before* most enterprise controls ever get a vote.

Why this verdict

• Started high on technical impact: heap overflow in morse.ko means potential kernel crash or kernel-level code execution, not a userland bug.
• Adjusted down for attacker position: the prerequisite is adjacent RF access, which implies the attacker must already be physically near the site or have a purpose-built nearby transmitter.
• Adjusted down again for exposed population: Wi-Fi HaLow / HaLowLink 2 is a niche enterprise footprint, so the vulnerable population is far smaller than mainstream Wi-Fi APs or internet appliances.
• Held above Medium because defenses are weak at this layer: WAF, MFA, reverse proxies, and most IP-layer monitoring do nothing against malformed pre-association wireless frames parsed in kernel space.

Why not higher?

It is not CRITICAL because there is no public active exploitation, no KEV listing, and the attacker must clear a real-world reachability hurdle: being in 802.11ah radio range. Just as important, this is a specialized product family, so the internet-scale blast radius that drives true emergency patching is not here.

Why not lower?

It is not MEDIUM because the bug lives in a kernel driver, not a management UI or authenticated feature path. The attacker does not need valid credentials or a post-login foothold if the vulnerable parser is reachable over the air, and even a 'mere crash' can take out a gateway serving IoT or OT traffic.

1. Disable unused HaLow radios — If a HaLowLink 2 is not actively needed for 802.11ah service, take the radio down or remove the device from service; that shrinks the vulnerable RF surface immediately. For a HIGH verdict, deploy this compensating control within 30 days wherever business use permits.
2. Constrain RF reachability — Move devices away from publicly reachable perimeters, reduce unnecessary transmit footprint, and prefer indoor/controlled placement so an attacker cannot casually get into effective radio range. Treat this as a within-30-days mitigation step for exposed field sites and campus edge locations.
3. Segment the gateway hard — Assume a compromised HaLow gateway becomes an edge foothold; keep it on tightly scoped VLANs/firewall zones with minimal east-west access and no admin plane exposure to crown-jewel networks. Put these segmentation controls in place within 30 days for all production deployments.
4. Turn on remote logging and crash collection — Forward logread/dmesg to centralized logging so panics, oops events, watchdog resets, and repeated interface flaps are preserved even if the box reboots. Do this within 30 days because local logs on embedded OpenWrt gear are easy to lose.
5. Validate vendor-fixed images before rollout — Because the exact fixed build was not publicly indexed, confirm the vendor advisory or portal release note, then pin and test that image in a lab before broad deployment. That validation work should begin now so the actual patch can land well inside the remediation window.

Run this on the target HaLowLink 2 or another Morse Micro Linux target, not from your auditor workstation. Invoke it as sh verify-cve-2026-7763.sh --fixed <vendor-fixed-version>; for example, sh verify-cve-2026-7763.sh --fixed 2.11.12 only if your vendor advisory confirms that fixed build. It needs root for modinfo, package queries, and reliable access to system release files.

#!/bin/sh
# verify-cve-2026-7763.sh
# Purpose: determine whether a Morse Micro / HaLowLink target is likely VULNERABLE,
# PATCHED, or UNKNOWN for CVE-2026-7763 by comparing the local software version
# to a vendor-confirmed fixed version supplied at runtime.
#
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / insufficient evidence

set -u

FIXED=""

usage() {
  echo "Usage: $0 --fixed <vendor-fixed-version>"
  echo "Example: $0 --fixed 2.11.12"
}

while [ $# -gt 0 ]; do
  case "$1" in
    --fixed)
      shift
      [ $# -gt 0 ] || { usage; echo "UNKNOWN: missing value for --fixed"; exit 2; }
      FIXED="$1"
      ;;
    -h|--help)
      usage
      exit 2
      ;;
    *)
      usage
      echo "UNKNOWN: unrecognized argument: $1"
      exit 2
      ;;
  esac
  shift
done

if [ -z "$FIXED" ]; then
  usage
  echo "UNKNOWN: vendor-fixed version not supplied"
  exit 2
fi

version_lt() {
  # returns 0 if $1 < $2
  [ "$1" = "$2" ] && return 1
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

get_local_version() {
  # Prefer explicit HaLowLink / Morse release markers if present.
  for f in /etc/halowlink_release /etc/morse_release /etc/openwrt_release /etc/os-release; do
    if [ -r "$f" ]; then
      # shellcheck disable=SC2162
      while IFS= read line; do
        case "$line" in
          VERSION=*|DISTRIB_RELEASE=*|IMAGE_VERSION=*|HALOWLINK_VERSION=*|MORSE_VERSION=*)
            v=$(echo "$line" | sed 's/^[^=]*=//' | tr -d '"' | tr -d "'" )
            case "$v" in
              *[0-9]*.*[0-9]*)
                echo "$v"
                return 0
                ;;
            esac
            ;;
        esac
      done < "$f"
    fi
  done

  # Fall back to opkg package metadata if present.
  if command -v opkg >/dev/null 2>&1; then
    for pkg in halowlink morse-driver morse_firmware morse-firmware; do
      v=$(opkg list-installed 2>/dev/null | awk -v p="$pkg" '$1==p {print $3; exit}')
      case "$v" in
        *[0-9]*.*[0-9]*)
          echo "$v"
          return 0
          ;;
      esac
    done
  fi

  return 1
}

has_morse() {
  if [ -e /lib/modules/"$(uname -r)"/morse.ko ] || [ -e /lib/modules/"$(uname -r)"/updates/morse.ko ] || [ -e /lib/modules/"$(uname -r)"/extra/morse.ko ]; then
    return 0
  fi
  if command -v modinfo >/dev/null 2>&1 && modinfo morse >/dev/null 2>&1; then
    return 0
  fi
  if lsmod 2>/dev/null | awk '$1=="morse" {found=1} END{exit(found?0:1)}'; then
    return 0
  fi
  return 1
}

if ! has_morse; then
  echo "UNKNOWN: Morse Micro driver (morse.ko) not detected on this host"
  exit 2
fi

LOCAL_VERSION=$(get_local_version || true)

if [ -z "$LOCAL_VERSION" ]; then
  echo "UNKNOWN: morse.ko detected, but local software version could not be determined"
  exit 2
fi

# Normalize versions by trimming non-version suffixes if present.
LOCAL_CLEAN=$(echo "$LOCAL_VERSION" | sed 's/[^0-9.].*$//')
FIXED_CLEAN=$(echo "$FIXED" | sed 's/[^0-9.].*$//')

if [ -z "$LOCAL_CLEAN" ] || [ -z "$FIXED_CLEAN" ]; then
  echo "UNKNOWN: version parsing failed (local='$LOCAL_VERSION', fixed='$FIXED')"
  exit 2
fi

if version_lt "$LOCAL_CLEAN" "$FIXED_CLEAN"; then
  echo "VULNERABLE: local version $LOCAL_VERSION is older than fixed version $FIXED"
  exit 1
fi

echo "PATCHED: local version $LOCAL_VERSION is at or above fixed version $FIXED"
exit 0

Sources

1. Morse Micro HaLowLink User Guide 2.11.2
2. Morse Micro Linux Porting Guide
3. MorseMicro/morse_driver GitHub repository
4. Morse Micro HaLowLink 2 product brief
5. Morse Micro announcement: HaLowLink 2 at CES 2026
6. Morse Micro Community: HaLowLink 2 fails to pair (shows 2.11.8 / OpenWrt 23.05.6)
7. Morse Micro Community: TX power thread (shows 2.11.8 / kernel 5.15.189 / OpenWrt 23.05.6)
8. CISA Known Exploited Vulnerabilities Catalog