CVE-2026-39929
Awaiting Analysis Awaiting Analysis - Queue
Out-of-Bounds Read in SysTrack Agent

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: VulnCheck

Description
Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-39929
EUVD
EUVD-2026-33066
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lakeside_software systack_agent to 11.2.1.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, and 11.5.0.15. It is an out-of-bounds read issue in the Command ID 30 UDP packet handler. Remote attackers can exploit this by sending a specially crafted UDP packet containing a malformed payload with an invalid memory address at offset 0x4. This triggers an access violation that causes the application to crash.

Compliance Impact

The vulnerability described is an out-of-bounds read in the Lakeside SysTrack Agent that allows remote attackers to cause a denial of service by crashing the application. There is no information provided about any impact on data confidentiality, integrity, or privacy that would directly relate to compliance with standards such as GDPR or HIPAA.

Since the vulnerability results in a denial of service without indication of data exposure or unauthorized data access, its effect on compliance with regulations like GDPR or HIPAA cannot be determined from the provided information.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. An attacker can remotely crash the Lakeside SysTrack Agent application by sending a malicious UDP packet, causing the application to stop functioning. This can disrupt monitoring or management services that rely on the agent.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39929. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart