How is CVE-2026-39929 exploited?

Network reachability (required): The attacker must reach the SysTrack Agent UDP listener over the network; no local or physical access to the host is needed. Authentication (not-required): No credentials or session token are needed; the vulnerable UDP handler accepts unauthenticated packets. Victim interaction (not-required): Exploitation is fully one-sided; no user on the target system needs to open a file, click a link, or take any other action. Attack complexity (info): Exploit reliability is high and condition-free; crafting the malformed UDP payload requires no race condition, specific memory layout, or timing window.

What is the impact of CVE-2026-39929?

Crashes the LsiAgent.exe process on the target host, terminating all SysTrack Agent monitoring and data-collection functions. Disrupts endpoint telemetry and workspace analytics gathered by SysTrack, creating visibility gaps for IT and operations teams. No confidentiality or integrity impact is indicated; stored data and system configuration are not read or modified by this exploit.

Back to search

HIGHCVE-2026-39929Published 2026-05-28Modified 2026-05-29CNA VulnCheck

CVE-2026-39929: Lakeside SysTrack Agent LsiAgent.exe Out-of-Bounds Read via UDP

Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds read vulnerability exists in the Lakeside SysTrack Agent (LsiAgent.exe) UDP packet handler for Command ID 30. The service is reachable over the network with no authentication required, and a remote attacker can trigger the flaw by sending a single malformed UDP packet containing an invalid memory address at payload offset 0x4. Successful exploitation crashes the SysTrack Agent process, causing a denial of service. Patched-image rebuilds at versions 11.2.1.28, 11.3.0.38, 11.4.0.24, and 11.5.0.15 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-39929 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream advisory feeds. Coverage extends to custom-built images that bundle the SysTrack Agent binary, not just upstream base images.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 8.7 (HIGH) and weighting findings against each customer environment's compliance policy. Routed alerts can reach the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at one of the fixed versions (11.2.1.28, 11.3.0.38, 11.4.0.24, or 11.5.0.15, depending on the affected branch) becomes available on HarborGuard once the fix version is detected in the upstream package feed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SysTrack Agent UDP listener over the network; no local or physical access to the host is needed.
AuthenticationNot required
No credentials or session token are needed; the vulnerable UDP handler accepts unauthenticated packets.
Victim interactionNot required
Exploitation is fully one-sided; no user on the target system needs to open a file, click a link, or take any other action.
Attack complexityDetail
Exploit reliability is high and condition-free; crafting the malformed UDP payload requires no race condition, specific memory layout, or timing window.

Blast Radius

Crashes the LsiAgent.exe process on the target host, terminating all SysTrack Agent monitoring and data-collection functions.
Disrupts endpoint telemetry and workspace analytics gathered by SysTrack, creating visibility gaps for IT and operations teams.
No confidentiality or integrity impact is indicated; stored data and system configuration are not read or modified by this exploit.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image in a customer registry or pipeline that bundles an affected SysTrack Agent binary, including internally built images. For environments with auto-remediation enabled, HarborGuard can rebuild the image at the appropriate fixed branch version (11.2.1.28, 11.3.0.38, 11.4.0.24, or 11.5.0.15), run a regression test pass, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where compliance policy does not permit auto-remediation, the finding is routed for manual review with full CVSS context attached. In the interim, network-policy controls that restrict UDP access to the SysTrack Agent port to trusted management hosts are a practical compensating control worth considering until the patched image is deployed.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 11.2.1.28
Affected Products: 1

Fix available

11.2.1.2811.3.0.3811.4.0.2411.5.0.15

Patch commits

Affected packages

Lakeside Software, LLC. / SysTrack Agent
< 11.2.1.28 (from 0) · < 11.3.0.38 (from 11.3.0.xxx) · < 11.4.0.24 (from 11.4.0.xxx) · < 11.5.0.15 (from 11.5.0.xxx)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available