CVE-2026-39929 | THREATINT

Description

Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.

PUBLISHED Reserved 2026-04-07 | Published 2026-05-28 | Updated 2026-05-29 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

Out-of-bounds Read

Improper Check for Unusual or Exceptional Conditions

Product status

Default status

affected

Any version before 11.2.1.28

affected

11.3.0.xxx (custom) before 11.3.0.38

affected

11.4.0.xxx (custom) before 11.4.0.24

affected

11.5.0.xxx (custom) before 11.5.0.15

affected

Credits

Austin A. DeFrancesco (DefCesco) finder

VulnCheck finder

References

documentation.lakesidesoftware.com/...ix-agent-release-notes release-notes patch

documentation.lakesidesoftware.com/...ix-agent-release-notes release-notes patch

documentation.lakesidesoftware.com/...ix-agent-release-notes release-notes patch

documentation.lakesidesoftware.com/...ix-agent-release-notes release-notes patch

www.vulncheck.com/...lsiagent-exe-out-of-bounds-read-via-udp third-party-advisory

cve.org (CVE-2026-39929)

nvd.nist.gov (CVE-2026-39929)

Download JSON

help @ threatint.eu