CVE-2026-42304 Overview
CVE-2026-42304 is a Denial of Service (DoS) vulnerability in the twisted.names module of the Twisted framework, an event-based networking library for Python 3.6+. Versions prior to 26.4.0rc2 improperly handle DNS message decompression, allowing a remote unauthenticated attacker to send a crafted TCP DNS packet containing deeply chained compression pointers. The flaw bypasses prior loop-prevention logic and forces the single-threaded Twisted reactor into millions of recursive lookups, freezing the server. The issue is tracked as [CWE-400] Uncontrolled Resource Consumption and is fixed in 26.4.0rc2.
Critical Impact
A single crafted TCP DNS packet can hang the Twisted reactor, halting all event-driven processing in the affected service and causing complete service unavailability.
Affected Products
- Twisted framework versions prior to 26.4.0rc2
- Applications using the twisted.names DNS module
- Python 3.6+ services built on the Twisted reactor
Discovery Timeline
- 2026-05-13 - CVE-2026-42304 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42304
Vulnerability Analysis
The vulnerability resides in the DNS name decompression logic of twisted.names. DNS messages use a compression scheme defined in RFC 1035, where labels can reference earlier positions in the packet via two-byte pointers. The Twisted implementation traverses these pointers when reconstructing fully qualified domain names from compressed wire-format data.
An attacker crafts a TCP DNS packet whose compression pointers form a deeply chained, but non-looping, sequence. Existing loop-detection logic flags only cyclic references, so a chain that progresses linearly through millions of pointer hops passes validation. The reactor processes each pointer dereference synchronously, exhausting CPU time on a single name field.
Because Twisted is single-threaded and cooperatively scheduled, blocking the reactor halts every other coroutine, deferred, and network handler in the process. The attack requires no authentication and no user interaction.
Root Cause
The root cause is insufficient bounding of pointer traversal depth during name decompression. Loop-prevention logic checks for revisited offsets but does not cap the total number of pointer dereferences per name. The fix in 26.4.0rc2 introduces a hard limit on recursion depth during decompression.
Attack Vector
Exploitation requires only network reachability to a Twisted-based service that parses DNS messages over TCP. The attacker sends one crafted DNS packet with a chain of compression pointers, each referencing an earlier offset that itself contains another pointer. The reactor enters a long-running decompression loop and stops servicing other connections until the operation completes or the process is restarted. Refer to the GitHub Security Advisory for additional protocol-level details.
Detection Methods for CVE-2026-42304
Indicators of Compromise
- Sudden and sustained CPU saturation on a single core hosting the Twisted reactor process
- Stalled responses across all network endpoints served by the same Twisted process, not only DNS
- TCP DNS packets where the name fields contain unusually long chains of compression pointers (0xC0 prefix bytes)
- Process traces showing repeated calls within twisted.names.dns name-decoding functions
Detection Strategies
- Inspect inbound TCP/53 traffic for DNS messages containing an abnormal count of compression pointer octets within a single name field.
- Monitor process-level CPU and reactor latency metrics for Twisted services and alert on sustained single-thread saturation.
- Use IDS signatures that flag DNS messages exceeding reasonable label-pointer counts per query or response.
Monitoring Recommendations
- Track request-handling latency for all Twisted-backed services and alert when latency exceeds baseline by an order of magnitude.
- Log connection counts and queue depth on TCP DNS listeners to detect stalls caused by reactor hangs.
- Capture packet samples from suspect sources for offline analysis of DNS name structures.
How to Mitigate CVE-2026-42304
Immediate Actions Required
- Upgrade Twisted to version 26.4.0rc2 or later on all hosts running twisted.names or services that parse DNS messages.
- Inventory Python environments and container images to identify pinned Twisted versions below 26.4.0rc2.
- Restrict network exposure of TCP DNS listeners to trusted clients until patching is complete.
Patch Information
The vulnerability is fixed in Twisted 26.4.0rc2. Upgrade using the Python package manager, for example pip install --upgrade "twisted>=26.4.0rc2". See the GitHub Security Advisory GHSA-grgv-6hw6-v9g4 for release details.
Workarounds
- Place a DNS-aware proxy or firewall in front of Twisted services to validate and normalize DNS messages before they reach the reactor.
- Block or rate-limit TCP/53 traffic from untrusted sources at the perimeter.
- Run multiple Twisted worker processes behind a load balancer so a single hang does not eliminate all capacity, while still prioritizing the upgrade.
# Upgrade Twisted to the patched release
pip install --upgrade "twisted>=26.4.0rc2"
# Verify the installed version
python -c "import twisted; print(twisted.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
