CVE-2026-42304

NameCVE-2026-42304
DescriptionTwisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
twisted (PTS)bullseye20.3.0-7+deb11u1vulnerable
bullseye (security)20.3.0-7+deb11u2vulnerable
bookworm, bookworm (security)22.4.0-4+deb12u1vulnerable
trixie24.11.0-1vulnerable
forky25.5.0-5vulnerable
sid26.4.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
twistedsource(unstable)26.4.0-1

Notes

[bullseye] - twisted <postponed> (Minor issue, DoS)
https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4
https://github.com/twisted/twisted/issues/12626
Introduced with: https://github.com/twisted/twisted/commit/e11cd82bdd79b3ebbb0e8635cbb9c76df2b5af09 (twisted-11.1.0)
Fixed by: https://github.com/twisted/twisted/commit/2d196123264efb0027eecfe1b430be4a9babdbd8 (twisted-26.4.0rc1)
Search for package or bug name: Reporting problems