Main Vulnerability Database Vulnerabilities #VU134147

Incomplete Comparison with Missing Factors in Arista Extensible Operating System (EOS) - CVE-2026-7473

Published: June 9, 2026

Vulnerability identifier: #VU134147

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2026-7473

CWE-ID: CWE-1023

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: Arista Networks

Affected software:
Arista Extensible Operating System (EOS)

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass intended tunnel protocol restrictions and forward unexpected tunneled traffic.

The vulnerability exists due to incomplete comparison with missing factors in tunnel decapsulation processing in Arista EOS when handling tunneled packets addressed to a configured decapsulation IP. A remote attacker can send specially crafted tunneled packets using a non-configured tunnel protocol to bypass intended tunnel protocol restrictions and forward unexpected tunneled traffic.

Exploitation requires the device to be configured as a tunnel endpoint with a decapsulation IP, such as for VXLAN, a GRE tunnel endpoint, or an ip decap-group.

Note, the vulnerability is being exploited in the wild.

How to mitigate CVE-2026-7473

Vendor is not planning to issue security patches to address this vulnerability. Instead it is recommended to configure ACLs to block possible attack vectors.

Sources

https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137

Incomplete Comparison with Missing Factors in Arista Extensible Operating System (EOS) - CVE-2026-7473

Detailed vulnerability description

How to mitigate CVE-2026-7473

Sources

Please verify you're human