CVE-2026-42304
Description
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
TwistedPyPI | < 26.4.0rc2 | 26.4.0rc2 |
Affected products
8- osv-coords5 versionspkg:apk/chainguard/synapsepkg:pypi/twistedpkg:rpm/opensuse/python-Twisted&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Twisted&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-Twisted&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 1.151.0-r4+ 4 more
- (no CPE)range: < 1.151.0-r4
- (no CPE)range: < 26.4.0rc2
- (no CPE)range: < 26.4.0-1.1
- (no CPE)range: < 24.10.0-160000.3.1
- (no CPE)range: < 24.10.0-160000.3.1
Patches
Vulnerability mechanics
References
5- github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-grgv-6hw6-v9g4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42304ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2026-160.yamlghsaWEB
- github.com/twisted/twisted/commit/e11cd82bdd79b3ebbb0e8635cbb9c76df2b5af09ghsaWEB
News mentions
0No linked articles in our index yet.