CVE-2026-39929: Lakeside SysTrack Agent Out-of-Bounds Read Denial of Service
Lakeside SysTrack Agent contains a vulnerability that allows an attacker on the network to crash the application by sending a malicious UDP packet. No authentication is required, and the attack does not require user interaction. The vulnerability affects multiple recent versions of the agent and results in denial of service, making it a significant availability risk for organizations relying on SysTrack for endpoint management and monitoring.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-125, CWE-754
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-39929 is an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler of Lakeside SysTrack Agent. The flaw exists because the application fails to properly validate the bounds of memory access when processing specially crafted UDP packets. Specifically, attackers can craft a UDP payload with an invalid memory address reference at offset 0x4 that triggers an access violation when dereferenced. This causes an unhandled exception and immediate process termination. The vulnerability is classified under CWE-125 (Out-of-bounds Read) and CWE-754 (Improper Check for Unusual or Exceptional Conditions), indicating insufficient input validation and error handling in the packet processing routine.
Business impact
SysTrack Agent is commonly deployed as part of endpoint management and user experience monitoring across enterprise environments. A successful attack causes the agent to crash, interrupting monitoring, telemetry collection, and any dependent workflows. If SysTrack data feeds critical alerting, compliance reporting, or user support tools, an outage could obscure security incidents, delay incident response, and create compliance reporting gaps. Organizations with large deployments face the prospect of coordinated denial of service affecting many endpoints simultaneously if the attack is networked or distributed.
Affected systems
Lakeside SysTrack Agent versions 11.2.1.28 and earlier, 11.3.0.38 and earlier, 11.4.0.24 and earlier, and 11.5.0.15 and earlier are vulnerable. Organizations should verify their deployed versions against the patch guidance provided by Lakeside Software to determine exposure.
Exploitability
Exploitability is high. The attack requires only network access and the ability to send a UDP packet to the agent; no authentication, special privileges, or user interaction are needed. The network vector and low complexity mean an attacker can trigger the crash from any network position if the UDP port is reachable. However, the attack is limited to denial of service and does not allow code execution or data theft, which constrains the overall risk.
Remediation
Upgrade SysTrack Agent to patched versions: 11.2.1.28 or later, 11.3.0.38 or later, 11.4.0.24 or later, or 11.5.0.15 or later, depending on the version branch in use. Verify the exact version requirements with Lakeside Software's official advisory. If immediate patching is not possible, consider restricting UDP access to the SysTrack agent from untrusted network segments using firewall rules or network segmentation.
Patch guidance
Consult Lakeside Software's official security advisory for exact version numbers and deployment instructions. The patch versions referenced in the CVE description should be verified against the vendor's release notes. Organizations should test patches in a non-production environment before rolling out to the full estate, particularly if SysTrack telemetry is used for critical monitoring or compliance.
Detection guidance
Monitor for unexpected crashes or restarts of SysTrack Agent processes on endpoints. Check agent logs for access violation exceptions or unhandled exceptions originating from the UDP packet handler. Network-based detection is challenging without application-level visibility, but organizations with UDP traffic inspection or packet logging capabilities should look for malformed UDP packets sent to the SysTrack agent port with unusual payload structures at offset 0x4. Endpoint detection and response (EDR) tools should flag repeated process crashes of the SysTrack agent executable.
Why prioritize this
Although this vulnerability does not permit code execution and does not affect confidentiality or integrity, the ease of exploitation (network, unauthenticated, low complexity) and the guaranteed denial of service outcome make it a high-priority patch. Organizations heavily dependent on SysTrack for operations and compliance should prioritize this patch to maintain visibility and avoid service disruption.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible, unauthenticated attack with no user interaction required, resulting in complete availability loss for the affected service. The lack of confidentiality or integrity impact prevents a critical rating, but the ease of trigger and broad applicability in enterprise deployments justify the HIGH severity designation.
Frequently asked questions
Can an attacker exploit this vulnerability to run code or steal data?
No. This vulnerability causes a denial of service by crashing the application. It does not permit code execution, privilege escalation, or data theft. The impact is limited to availability.
Do I need network access to the agent to exploit this vulnerability?
Yes, the attacker must be able to send a UDP packet to the SysTrack agent. If the UDP port is not accessible from the attacker's network position—for example, behind a firewall—the vulnerability cannot be exploited. Restricting UDP access to trusted networks can reduce risk while patches are being deployed.
Which versions are affected and which should I upgrade to?
Versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, and 11.5.0.15 are vulnerable. Upgrade to the patched version corresponding to your current branch. Verify exact version numbers with Lakeside Software's official advisory before deploying.
Is this vulnerability being actively exploited in the wild?
As of the CVE publication date, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed evidence of active exploitation in the wild at this time. However, organizations should still prioritize patching given the ease of exploitation.
This analysis is provided for informational purposes to help security teams prioritize remediation efforts. The specific version numbers, patch requirements, and deployment procedures referenced should be verified against Lakeside Software's official security advisory and vendor documentation. Organizations should conduct their own risk assessments and testing before applying patches to production environments. SEC.co makes no guarantee of completeness or accuracy and disclaims liability for decisions made based on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-41278HIGHWaterfall WF-500 RX Host Out-of-Bounds Read Remote Code Execution
- CVE-2026-0076HIGHAndroid ResourceTypes.cpp Out-of-Bounds Read Privilege Escalation
- CVE-2026-10017HIGHChrome Sandbox Escape via Out-of-Bounds Read in Headless Mode
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10930HIGHChrome ANGLE Out-of-Bounds Read on macOS
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability