CVE-2026-39929
Description
Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Lakeside SysTrack Agent versions before 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 have an out-of-bounds read in the Command ID 30 UDP handler, allowing remote attackers to crash the agent via a crafted packet.
Vulnerability
Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, and 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler. The flaw occurs when processing a specially crafted UDP packet with an invalid memory address at offset 0x4 in the payload, triggering an access violation that crashes the application [1]. The affected component is the LsiAgent.exe loopback handler (or similar named module) within the SysTrack agent [2][3].
Exploitation
An attacker can send a malformed UDP packet to the SysTrack agent from any network position (no authentication required). The packet must contain an invalid memory address at payload offset 0x4, causing the handler to dereference an out-of-bounds pointer and crash the agent process [1]. No user interaction or race condition is needed; the attack is purely remote and immediate.
Impact
Successful exploitation causes a denial of service: the SysTrack agent application crashes, disrupting endpoint monitoring and data collection. The crash is limited to the agent process itself; no privilege escalation or data disclosure occurs [1][2]. The impact is confined to availability loss for the affected system.
Mitigation
Fixed versions are 11.2.1.28, 11.3.0.38, 11.4.0.24, and 11.5.0.15 as published in hotfix release notes [1][2][3]. Users should upgrade to these or later versions. No workaround is documented; the fix addresses the malformed UDP packet handling in the loopback component.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <11.2.1.28, <11.3.0.38, <11.4.0.24, <11.5.0.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- documentation.lakesidesoftware.com/docs/112128-hotfix-agent-release-notesnvd
- documentation.lakesidesoftware.com/docs/1130xxx-hotfix-agent-release-notesnvd
- documentation.lakesidesoftware.com/docs/1140xxx-hotfix-agent-release-notesnvd
- documentation.lakesidesoftware.com/docs/1150xxx-hotfix-agent-release-notesnvd
- www.vulncheck.com/advisories/lakeside-systrack-agent-lsiagent-exe-out-of-bounds-read-via-udpnvd
News mentions
0No linked articles in our index yet.