CVE-2026-42304

Name of the Vulnerable Software and Affected Versions Twisted versions prior to 26.4.0

Description The twisted.names module is susceptible to a Denial of Service (DoS) attack caused by resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can send a specially crafted TCP DNS packet containing deeply chained compression pointers to exploit this flaw. This bypasses existing loop-prevention logic, forcing the single-threaded Twisted reactor to perform millions of recursive lookups, which freezes the server and prevents it from handling new connections or processing I/O. The issue resides in the decode() function of twisted.names.dns.Name, where there is no limit on the number of pointer dereferences per message, and the visited set is reset for each Question record. This allows an attacker to include thousands of questions that refer to the same long chain of pointers, causing the parser to repeat complex searches.

Recommendations Update to version 26.4.0 or later. As a temporary mitigation, restrict access to the DNS server functionality or implement network-level filtering to limit the number of DNS questions per TCP packet.