HIGH🇬🇧 English

CVE-2026-42304

CVSS 7.5v3.1pub. 2026-05-13upd. 2026-05-19

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Twisted

    APP
    Twisted
    26.4.0< 26.4.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Auth BypassDoS
CWE
Referencje

Powiązane podatności

CVE-2020-10108CRITICAL9.8ten sam produkt

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two con...

CVE-2020-10109CRITICAL9.8ten sam produkt

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a conte...

CVE-2022-24801HIGH8.1ten sam produkt

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0...

CVE-2022-21716HIGH7.5ten sam produkt

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twiste...

CVE-2022-21712HIGH7.5ten sam produkt

twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies a...

CVE-2026-42304 — HIGH 7.5 | CVEbaza.pl