Description
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote, unauthenticated attacker can send a crafted TCP DNS packet containing deeply chained compression pointers to a Twisted application using the twisted.names module. The crafted packet bypasses existing loop‑prevention logic, causing the single‑threaded Twisted reactor to process millions of recursive lookups and ultimately hang. The effect is a complete freeze of the server, denying service to legitimate users. This is a typical resource exhaustion denial‑of‑service flaw, identified as CWE‑400 and CWE‑407.

Affected Systems

Versions of the Twisted framework before 26.4.0rc2 that include the twisted.names DNS module are affected. The vulnerability is specific to the Twisted event‑based framework for Python, used in applications that implement DNS resolution over TCP.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high severity. Exploitation requires only network connectivity to the Twisted DNS service and no authentication, making it a straightforward remote attack. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, but the low effort and high impact make it a serious risk for exposed services.

Generated by OpenCVE AI on May 13, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Twisted to version 26.4.0rc2 or later to apply the vendor fix
  • Limit exposure of the Twisted DNS service by restricting inbound connections to trusted networks or applying firewall rules
  • If an upgrade cannot be deployed immediately, isolate the Twisted process, disable the twisted.names service, and monitor for hanging reactor instances or abnormal DNS query rates

Generated by OpenCVE AI on May 13, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-grgv-6hw6-v9g4 Twisted has a Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains
History

Tue, 19 May 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:twisted:twisted:*:*:*:*:*:*:*:*
cpe:2.3:a:twisted:twisted:26.4.0:rc1:*:*:*:*:*:*

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Twisted
Twisted twisted
Vendors & Products Twisted
Twisted twisted

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.
Title Twisted: Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains
Weaknesses CWE-400
CWE-407
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Twisted Twisted
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:45:34.746Z

Reserved: 2026-04-26T12:13:55.552Z

Link: CVE-2026-42304

cve-icon Vulnrichment

Updated: 2026-05-14T15:45:21.220Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T21:16:46.933

Modified: 2026-05-19T16:47:32.543

Link: CVE-2026-42304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:30:05Z

Weaknesses