CVE Catalog

Actively exploited in the wild

Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability

Arista — Extensible Operating System · Listed in the CISA KEV since 2026-06-09. This indicates confirmed attacks in production environments.

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2026-7473

MediumCVSS 5.8KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
22.47%

96th percentile — higher than 96% of all known CVEs

Summary

On affected platforms running Arista EOS, a tunnel decapsulation configuration, such as VXLAN, decap-groups, or a GRE tunnel interface, may lead to incorrect decapsulation and forwarding of other unexpected tunneled packets. This issue arises from the switch's failure to verify the tunnel protocol type.

Risk Assessment

As a result of this vulnerability, the organization may be exposed to unauthorized processing of tunnel traffic, potentially leading to data loss or network security breaches.

Recommendation

It is recommended to update the software to the latest version to mitigate this vulnerability and implement additional verification mechanisms for tunnel traffic.

Original NVD description (English source)

On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS