PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42304 twisted CVE debrief

CVE-2026-42304 is a high-severity Denial of Service (DoS) vulnerability in Twisted, an event-based Python framework for internet applications. The flaw exists in the twisted.names module prior to version 26.4.0rc2 and stems from resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This attack bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. The vulnerability was published on May 13, 2026, and last modified on May 19, 2026. It is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. The issue is fixed in Twisted 26.4.0rc2.

Vendor
twisted
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-05-19
Advisory published
2026-05-13
Advisory updated
2026-05-19

Who should care

Organizations running Twisted-based applications that utilize the twisted.names module for DNS resolution are at risk. This includes internet-facing services, DNS servers, and applications performing DNS lookups via Twisted. System administrators, DevOps engineers, and security teams responsible for Python application infrastructure should prioritize patching. Developers maintaining Twisted-dependent codebases should review their dependency versions and update requirements files. Network security teams should monitor for potential exploitation attempts against unpatched systems.

Technical summary

The vulnerability resides in Twisted's DNS name decompression implementation within the twisted.names module. DNS compression pointers allow DNS messages to reference previously occurring domain names to reduce packet size. The flaw occurs when an attacker crafts a TCP DNS packet with deeply chained compression pointers—pointers that recursively reference other pointers in a way that bypasses existing loop detection. This triggers millions of recursive lookups, consuming excessive CPU resources and causing the single-threaded Twisted reactor to hang indefinitely. The attack is network-based, requires no authentication, and has low complexity. The vulnerability affects Twisted versions prior to 26.4.0rc2, including 26.4.0rc1. The fix in 26.4.0rc2 addresses the bypass in loop-prevention logic.

Defensive priority

high

Recommended defensive actions

  • Upgrade Twisted to version 26.4.0rc2 or later to remediate this vulnerability.
  • If immediate patching is not feasible, consider implementing network-level controls to restrict access to DNS services using Twisted's twisted.names module to trusted sources only.
  • Monitor for anomalous TCP DNS traffic containing unusually large or complex compression pointer chains as potential indicators of exploitation attempts.
  • Review application architecture to ensure DNS resolution components run in isolated processes or threads where possible, reducing the impact of reactor hangs.
  • Subscribe to Twisted security advisories for timely notification of future security updates.

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The affected versions are confirmed through CPE criteria in the NVD data: all versions prior to 26.4.0, and specifically 26.4.0rc1. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) supports the high severity rating. Weaknesses are classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-407 (Inefficient Algorithmic Complexity). The fix version 26.4.0rc2 is explicitly stated in the CVE description and vendor advisory.

Official resources

The vulnerability was disclosed through GitHub Security Advisories and the National Vulnerability Database (NVD). The CVE record was published on May 13, 2026, with subsequent modifications on May 19, 2026. The vendor has acknowledged the漏洞