Description
Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.
Published: 2026-05-28
Score: 8.7 High
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read occurs in the Command ID 30 UDP packet handler of Lakes SysTrack Agent’s LsiAgent.exe, allowing a remote attacker to crash the agent by sending a malformed packet. The flaw is triggered when the payload contains an invalid memory address at offset 0x4, which causes an access violation and forces the agent to terminate. Because the vulnerability leads only to a crash, it does not directly compromise confidentiality or integrity, but it disrupts the service that the agent provides.

Affected Systems

Lakeside Software, LLC’s SysTrack Agent is affected. Versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, and 11.5.0.15 contain the defect. All earlier releases that use the same Command ID 30 UDP handler are similarly impacted.

Risk and Exploitability

The CVSS score of 8.7 classifies the flaw as high severity. The EPSS score is 1.4% (0.01403) and the vulnerability is not listed in the CISA KEV catalog. Based on the description it is inferred that the attack can be launched remotely without authentication, by simply sending a crafted UDP packet to the agent’s listening port. The straightforward exploit leads to a denial of service that could disrupt business processes relying on the agent’s functionality.

Generated by OpenCVE AI on June 18, 2026 at 12:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-supplied hotfix or upgrade to the first non-vulnerable release (11.2.1.28, 11.3.0.38, 11.4.0.24 or 11.5.0.15).
  • Deploy the hotfix or upgrade to all systems running the affected agent.
  • If an immediate upgrade is not possible, block or rate-limit UDP traffic to the agent’s listening port to reduce crash risk and monitor logs for abnormal termination.

Generated by OpenCVE AI on June 18, 2026 at 12:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Lakesidesoftware
Lakesidesoftware systrack Agent
Vendors & Products Lakesidesoftware
Lakesidesoftware systrack Agent

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.
Title Lakeside SysTrack Agent LsiAgent.exe Out-of-Bounds Read via UDP
Weaknesses CWE-125
CWE-754
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lakesidesoftware Systrack Agent
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T19:07:28.014Z

Reserved: 2026-04-07T20:57:06.210Z

Link: CVE-2026-39929

cve-icon Vulnrichment

Updated: 2026-05-29T19:07:18.906Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T22:16:58.693

Modified: 2026-06-01T16:52:20.117

Link: CVE-2026-39929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:00:16Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-754

    Improper Check for Unusual or Exceptional Conditions