CVE-2026-39929
Awaiting Analysis Awaiting Analysis - Queue

Out-of-Bounds Read in SysTrack Agent

Vulnerability report for CVE-2026-39929, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: VulnCheck

Description

Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-07-09
AI Q&A
2026-05-29
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
lakeside_software systack_agent to 11.2.1.28 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, and 11.5.0.15. It is an out-of-bounds read issue in the Command ID 30 UDP packet handler. Remote attackers can exploit this by sending a specially crafted UDP packet containing a malformed payload with an invalid memory address at offset 0x4. This triggers an access violation that causes the application to crash.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. An attacker can remotely crash the Lakeside SysTrack Agent application by sending a malicious UDP packet, causing the application to stop functioning. This can disrupt monitoring or management services that rely on the agent.

Compliance Impact

The vulnerability described is an out-of-bounds read in the Lakeside SysTrack Agent that allows remote attackers to cause a denial of service by crashing the application. There is no information provided about any impact on data confidentiality, integrity, or privacy that would directly relate to compliance with standards such as GDPR or HIPAA.

Since the vulnerability results in a denial of service without indication of data exposure or unauthorized data access, its effect on compliance with regulations like GDPR or HIPAA cannot be determined from the provided information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39929. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart