PYSEC-2026-160

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/twisted/PYSEC-2026-160.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-160

Aliases

CVE-2026-42304
GHSA-grgv-6hw6-v9g4

Published

2026-05-13T21:16:46.933Z

Modified

2026-05-20T12:35:31.546681Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.

References

https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4

Affected packages

PyPI / twisted

Package

Name: twisted; View open source insights on deps.dev
Purl: pkg:pypi/twisted

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

26.4.0

Affected versions

1.*

1.0.1

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0

1.1.1

1.2.0

2.*

2.1.0

2.4.0

2.5.0

8.*

8.0.0

8.0.1

8.1.0

8.2.0

9.*

9.0.0

10.*

10.0.0

10.1.0

10.2.0

11.*

11.0.0

11.1.0

12.*

12.0.0

12.1.0

12.2.0

12.3.0

13.*

13.0.0

13.1.0

13.2.0

14.*

14.0.0

14.0.1

14.0.2

15.*

15.0.0

15.1.0

15.2.0

15.2.1

15.3.0

15.4.0

15.5.0

16.*

16.0.0

16.1.0

16.1.1

16.2.0

16.3.0

16.3.1

16.3.2

16.4.0

16.4.1

16.5.0rc1

16.5.0rc2

16.5.0

16.6.0rc1

16.6.0

16.7.0rc1

16.7.0rc2

17.*

17.1.0rc1

17.1.0

17.5.0

17.9.0rc1

17.9.0

18.*

18.4.0rc1

18.4.0

18.7.0rc1

18.7.0rc2

18.7.0

18.9.0rc1

18.9.0

19.*

19.2.0rc1

19.2.0rc2

19.2.0

19.2.1

19.7.0rc1

19.7.0

19.10.0rc1

19.10.0

20.*

20.3.0rc1

20.3.0

21.*

21.2.0rc1

21.2.0

21.7.0rc1

21.7.0rc2

21.7.0rc3

21.7.0

22.*

22.1.0rc1

22.1.0

22.2.0rc1

22.2.0

22.4.0rc1

22.4.0

22.8.0rc1

22.8.0

22.10.0rc1

22.10.0

23.*

23.8.0rc1

23.8.0

23.10.0rc1

23.10.0

24.*

24.2.0rc1

24.3.0

24.7.0rc1

24.7.0rc2

24.7.0

24.10.0rc1

24.10.0

24.11.0rc1

24.11.0rc2

24.11.0

25.*

25.5.0rc1

25.5.0

26.*

26.4.0rc2

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/twisted/PYSEC-2026-160.yaml"