Denial of Service Vulnerability in Twisted Framework by Twisted
CVE-2026-42304

7.5HIGH

Key Information:

Vendor: Twisted
Status: Twisted
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42304?

The Twisted framework, an event-driven networking engine for Python, is susceptible to a Denial of Service (DoS) attack due to a flaw in the twisted.names module. Attackers can exploit this vulnerability before version 26.4.0rc2 through specially crafted TCP DNS packets that contain complex compression pointers. This design flaw allows the processing logic to be bypassed, leading to severe resource exhaustion. Consequently, the single-threaded reactor becomes overwhelmed, causing the server to hang during recursive DNS lookups and preventing legitimate traffic from being processed. The vulnerability has been addressed in version 26.4.0rc2, which mitigates the risk by enhancing the processing of DNS queries.

Affected Version(s)

twisted < 26.4.0rc2

References

https://github.com/twisted/twisted/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42304 Data

JSON