CVEFinder.io

CVE-2026-42304

⚠️ high
🔍 Scan for this CVE
Summary

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing million

Description

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.

CVSS Score
7.5
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-13
First Seen: 2026-05-17
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.0% of all 328,009 vulnerabilities in our database.

#101,817
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 14, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-05-19
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE IDs (Weakness Types)
CWE-400 CWE-407

📦 Affected Products 2

Vendor Product Status Affected Versions
twisted twisted Affected
< 26.4.0
twisted twisted Affected
v26.4.0

🔗 References 1

https://github.com/twisted/twisted/security/advisori...
Exploit Mitigation Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2024-41810 🔶 medium 6.1 68.2 Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo`... 2024-07-29
CVE-2023-46137 🔶 medium 5.3 0.6 Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP r... 2023-10-25
CVE-2022-39348 🔶 medium 5.4 1.2 Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not... 2022-10-26
CVE-2022-24801 ⚠️ high 8.1 1.2 Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the T... 2022-04-04
CVE-2022-21716 ⚠️ high 7.5 1.0 Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH clie... 2022-03-03
CVE-2022-21712 ⚠️ high 7.5 0.2 twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authori... 2022-02-07
These CVEs affect the same products