CVE-2026-39929
HIGHLakeside SysTrack Agent LsiAgent.exe Out-of-Bounds Read via UDP
Title source: cnaDescription
Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.
References (5)
Core 5
Core References
Patch release-notes
patch
https://documentation.lakesidesoftware.com/docs/112128-hotfix-agent-release-notes
Patch release-notes
patch
https://documentation.lakesidesoftware.com/docs/1130xxx-hotfix-agent-release-notes
Patch release-notes
patch
https://documentation.lakesidesoftware.com/docs/1140xxx-hotfix-agent-release-notes
Patch release-notes
patch
https://documentation.lakesidesoftware.com/docs/1150xxx-hotfix-agent-release-notes
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/lakeside-systrack-agent-lsiagent-exe-out-of-bounds-read-via-udp
Scores
CVSS v3
7.5
EPSS
0.0140
EPSS Percentile
68.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-125
CWE-754
Status
published
Products (4)
Lakeside Software, LLC./SysTrack Agent
< 11.2.1.28
Lakeside Software, LLC./SysTrack Agent
11.3.0.xxx - 11.3.0.38
Lakeside Software, LLC./SysTrack Agent
11.4.0.xxx - 11.4.0.24
Lakeside Software, LLC./SysTrack Agent
11.5.0.xxx - 11.5.0.15
Published
May 28, 2026
Tracked Since
May 29, 2026