cvedb.io
CVE-2026-42304
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-05-13T21:16:46.933 · Last modified 2026-06-17T10:47:39.757

Summary

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.

Affected products

twisted — twisted

Does this affect you?

Add your gear to cvedb and we'll alert you only when twisted ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.