Description
Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.
Published: 2026-05-28
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read occurs in the Command ID 30 UDP packet handler of Lakeside SysTrack Agent’s LsiAgent.exe, allowing a remote attacker to crash the agent by sending a malformed packet. The flaw is triggered when the payload contains an invalid memory address at offset 0x4, which causes an access violation and forces the agent to terminate. Because the vulnerability leads only to a crash, it does not directly compromise confidentiality or integrity, but it disrupts the service that the agent provides.

Affected Systems

Lakeside Software, LLC’s SysTrack Agent is affected. Versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, and 11.5.0.15 contain the defect. All earlier releases that use the same Command ID 30 UDP handler are similarly impacted.

Risk and Exploitability

The CVSS score of 8.7 classifies the flaw as high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description it is inferred that the attack can be launched remotely without authentication, by simply sending a crafted UDP packet to the agent’s listening port. The straightforward exploit leads to a denial of service that could disrupt business processes relying on the agent’s functionality.

Generated by OpenCVE AI on May 28, 2026 at 23:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied hotfix or upgrade to the first non‑vulnerable release (11.2.1.28, 11.3.0.38, 11.4.0.24 or 11.5.0.15).
  • Deploy the hotfix or upgrade to all systems running the affected agent.
  • If an immediate upgrade is not possible, block or rate‑limit UDP traffic to the agent’s listening port to reduce crash risk and monitor logs for abnormal termination.

Generated by OpenCVE AI on May 28, 2026 at 23:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.
Title Lakeside SysTrack Agent LsiAgent.exe Out-of-Bounds Read via UDP
Weaknesses CWE-125
CWE-754
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T19:07:28.014Z

Reserved: 2026-04-07T20:57:06.210Z

Link: CVE-2026-39929

cve-icon Vulnrichment

Updated: 2026-05-29T19:07:18.906Z

cve-icon NVD

Status : Received

Published: 2026-05-28T22:16:58.693

Modified: 2026-05-28T22:16:58.693

Link: CVE-2026-39929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T23:45:29Z

Weaknesses