{"id":"PYSEC-2026-160","details":"Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.","aliases":["CVE-2026-42304","GHSA-grgv-6hw6-v9g4"],"modified":"2026-05-20T12:35:31.546681Z","published":"2026-05-13T21:16:46.933Z","references":[{"type":"EVIDENCE","url":"https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4"}],"affected":[{"package":{"name":"twisted","ecosystem":"PyPI","purl":"pkg:pypi/twisted"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"26.4.0"}]}],"versions":["1.0.1","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.1.0","1.1.1","1.2.0","10.0.0","10.1.0","10.2.0","11.0.0","11.1.0","12.0.0","12.1.0","12.2.0","12.3.0","13.0.0","13.1.0","13.2.0","14.0.0","14.0.1","14.0.2","15.0.0","15.1.0","15.2.0","15.2.1","15.3.0","15.4.0","15.5.0","16.0.0","16.1.0","16.1.1","16.2.0","16.3.0","16.3.1","16.3.2","16.4.0","16.4.1","16.5.0","16.5.0rc1","16.5.0rc2","16.6.0","16.6.0rc1","16.7.0rc1","16.7.0rc2","17.1.0","17.1.0rc1","17.5.0","17.9.0","17.9.0rc1","18.4.0","18.4.0rc1","18.7.0","18.7.0rc1","18.7.0rc2","18.9.0","18.9.0rc1","19.10.0","19.10.0rc1","19.2.0","19.2.0rc1","19.2.0rc2","19.2.1","19.7.0","19.7.0rc1","2.1.0","2.4.0","2.5.0","20.3.0","20.3.0rc1","21.2.0","21.2.0rc1","21.7.0","21.7.0rc1","21.7.0rc2","21.7.0rc3","22.1.0","22.1.0rc1","22.10.0","22.10.0rc1","22.2.0","22.2.0rc1","22.4.0","22.4.0rc1","22.8.0","22.8.0rc1","23.10.0","23.10.0rc1","23.8.0","23.8.0rc1","24.10.0","24.10.0rc1","24.11.0","24.11.0rc1","24.11.0rc2","24.2.0rc1","24.3.0","24.7.0","24.7.0rc1","24.7.0rc2","25.5.0","25.5.0rc1","26.4.0rc2","8.0.0","8.0.1","8.1.0","8.2.0","9.0.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/twisted/PYSEC-2026-160.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}