Arista EOS <4.36: VXLAN/GRE Decap Misidentification Leads to Tunnel Spoofing
CVE-2026-7473 Published on June 5, 2026

Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass
On affected platforms running Arista EOS where a tunnel decapsulation configurationsuch as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interfaceis present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.

Vendor Advisory NVD

Known Exploited Vulnerability

This Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.

The following remediation steps are recommended / required by June 23, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2026-7473 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Incomplete Comparison with Missing Factors

The software performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors. An incomplete comparison can lead to resultant weaknesses, e.g., by operating on the wrong object or making a security decision without considering a required factor.


Products Associated with CVE-2026-7473

Want to know whenever a new CVE is published for Arista Eos? stack.watch will email you.

 

Affected Versions

Arista Networks EOS:

Exploit Probability

EPSS
0.38%
Percentile
29.45%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.