Arista EOS <4.36: VXLAN/GRE Decap Misidentification Leads to Tunnel Spoofing
CVE-2026-7473 Published on June 5, 2026
Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass
On affected platforms running Arista EOS where a tunnel decapsulation configurationsuch as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interfaceis present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.
This issue has been reported as being exploited in the wild.
Known Exploited Vulnerability
This Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.
The following remediation steps are recommended / required by June 23, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2026-7473 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Incomplete Comparison with Missing Factors
The software performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors. An incomplete comparison can lead to resultant weaknesses, e.g., by operating on the wrong object or making a security decision without considering a required factor.
Products Associated with CVE-2026-7473
Want to know whenever a new CVE is published for Arista Eos? stack.watch will email you.
Affected Versions
Arista Networks EOS:- Version 4.36.0 is affected.
- Version 4.35.0, <= 4.35 is affected.
- Version 4.34.0, <= 4.34 is affected.
- Version 4.33.0, <= 4.33 is affected.
- Version 4.32.0, <= 4.32 is affected.
- Version 4.31.0, <= 4.31 is affected.
- Version *, <= 4.30 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.