Tunnel-decapsulation flaw in Arista EOS (CVE-2026-7473) — forwarding unexpected packets
Arista EOS, the OS for Arista network switches, has an incomplete-comparison flaw in tunnel decapsulation: the switch can wrongly decapsulate and forward unexpected tunneled packets whose destination matches its configured decapsulation IP. CISA listed it as known-exploited (KEV) (CVSS 5.8 Medium, per NVD).
Key facts
- CVE IDCVE-2026-7473
- CVSS base score5.8 MEDIUM
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
- Affected (vendor / product)Arista Extensible Operating System
- CWECWE-1023
- ExploitationListed in CISA KEV (exploitation confirmed)
- Remediation due2026-06-23 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Incomplete comparison (CWE-1023) during tunnel decapsulation in Arista EOS (switch OS)
- Unexpected tunneled packets destined to the configured decapsulation IP can be wrongly decapsulated and forwarded
- Can be abused to bypass network segmentation and slip past access controls
- Listed in CISA KEV = exploitation confirmed; CVSS 5.8 Medium, per NVD (impact reaches the network — scope changed)
- Response: apply Arista's fix and review tunnel/decapsulation configuration
CVE-2026-7473 is an incomplete-comparison vulnerability (CWE-1023 — a comparison missing factors that should be considered) in Arista Extensible Operating System (EOS), the OS that runs Arista network switches.
Per public information, the switch's check when decapsulating a tunnel (encapsulated traffic) is insufficient, so it wrongly decapsulates and forwards even "unexpected" tunneled packets whose destination matches the configured decapsulation IP.
This matters because packets that should be kept outside — or routed only along specific paths — can pass through the switch into the internal network. "Segmentation," which protects a network by dividing it, can be bypassed, letting traffic slip past access controls to reach internal devices. The impact is limited to integrity (wrongful forwarding), but it reaches beyond the switch itself into the network.
Key response: check Arista's official information, identify affected EOS versions and tunnel/decapsulation configuration, and apply fixes/mitigations. Especially in environments configuring tunnel termination or decapsulation, reviewing the configuration and confirming that packets are not traversing unintended paths is advised.
Why it matters
Concerns data centers and large networks running tunneling/segmentation on Arista switches. Because bypassing segmentation undermines the premise of access control, patching plus reviewing tunnel configuration are the priorities. It underscores protecting the boundary controls of network infrastructure.
FAQ
What is decapsulation (tunnel decoding)?
CVSS is 5.8 — not that high?
What should I do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).