cbcvebase.
CVE-2026-42304
published 2026-05-13

CVE-2026-42304: Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial…

PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.43%
34.6th percentile
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.

Affected

5 ranges
VendorProductVersion rangeFixed in
twistedtwisted< 26.4.0rc226.4.0rc2
twistedtwisted< 26.4.026.4.0
twistedtwisted
twistedtwisted>= 0 < 26.4.0rc226.4.0rc2
ubuntutwisted
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.