CVE-2026-39929 Lakeside Software, LLC. CVE debrief

Who should care

Organizations using Lakeside SysTrack for IT asset management and endpoint monitoring, particularly those with agents exposed to network segments accessible by untrusted users or systems. Security teams responsible for endpoint protection and network security should prioritize patching due to the remotely exploitable, unauthenticated nature of this denial-of-service vulnerability.

Technical summary

The vulnerability exists in the Command ID 30 UDP packet handler within the Lakeside SysTrack Agent (lsiagent.exe). The handler fails to properly validate memory addresses provided in packet payloads, specifically at offset 0x4. When a malformed UDP packet containing an invalid memory address is received, the application attempts to read from an out-of-bounds memory location, resulting in an access violation and process termination. This is remotely exploitable without authentication, requiring only network access to the UDP service port. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high availability impact.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Lakeside SysTrack Agent to version 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15, or later depending on your current major version branch
• Restrict UDP access to SysTrack Agent ports to authorized management hosts only
• Monitor for unexpected SysTrack Agent process crashes or service restarts
• Review network traffic for anomalous UDP packets targeting SysTrack Agent endpoints
• Apply vendor hotfixes referenced in release notes for affected versions
• Consider network segmentation to limit exposure of SysTrack Agent UDP handlers to untrusted networks

Evidence notes

CVE published 2026-05-28. Vendor hotfix release notes confirm patched versions. VulnCheck advisory provides technical details on the UDP packet structure triggering the vulnerability.

Official resources