CVE-2026-42304
published 2026-05-13CVE-2026-42304: Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.43%
34.6th percentile
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| twisted | twisted | < 26.4.0rc2 | 26.4.0rc2 |
| twisted | twisted | < 26.4.0 | 26.4.0 |
| twisted | twisted | — | — |
| twisted | twisted | >= 0 < 26.4.0rc2 | 26.4.0rc2 |
| ubuntu | twisted | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Twisted has a Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains
ghsa·2026-05-05
CVE-2026-42304 [HIGH] CWE-400 Twisted has a Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains
Twisted has a Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains
### Details
The twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server.
---
### Technical Details
The main issue is in twisted.names.dns.Name.decode. A visited set was added in 2011 (commit e11cd82) to prevent infinite loops, but there is still no limit on the number of pointer dereferences per message. Al
Ubuntu
Twisted vulnerability
vendor_ubuntu·2026-06-03
CVE-2026-42304 Twisted vulnerability
Title: Twisted vulnerability
Summary: Twisted could be made to crash if it received specially crafted network
traffic.
It was discovered that Twisted incorrectly handled DNS name decompression.
A remote attacker could possibly use this issue to cause Twisted to consume
excessive resources, leading to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-13
Published