Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-2379

CVE-2026-2379: Arista EOS IPsec Tunnel DoS Vulnerability

CVE-2026-2379 is a denial of service vulnerability in Arista EOS affecting IPsec tunnel stability. Interface flaps and agent restarts can cause sequence number mismatches, disrupting communications. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-2379 Overview

CVE-2026-2379 affects Arista EOS platforms with hardware IPsec support when certain IPsec features are enabled. The vulnerability stems from improper handling of an exceptional condition [CWE-672] during IPsec tunnel re-establishment. Physical interface flaps and certain agent restarts cause IPsec tunnels to re-establish using existing Security Associations (SAs). The reused SAs produce sequence number mismatches between tunnel endpoints, resulting in unstable communication across the affected tunnels.

Critical Impact

Network attackers can trigger or leverage interface flaps and agent restarts to induce IPsec sequence number desynchronization, disrupting confidentiality guarantees and stable communication on affected Arista EOS devices.

Affected Products

  • Arista EOS running on platforms with hardware IPsec support
  • Arista EOS configurations with IPsec features enabled
  • Refer to Arista Security Advisory #0134 for the specific affected releases and hardware

Discovery Timeline

  • 2026-06-05 - CVE-2026-2379 published to NVD
  • 2026-06-05 - Last updated in NVD database

Technical Details for CVE-2026-2379

Vulnerability Analysis

The vulnerability resides in Arista EOS IPsec tunnel state handling on devices that offload IPsec processing to hardware. When a physical interface flaps or specific control-plane agents restart, EOS reinitializes the affected IPsec tunnels. Instead of negotiating fresh Security Associations, the device reuses pre-existing SAs.

IPsec relies on monotonically increasing sequence numbers within each SA to provide anti-replay protection and integrity continuity. Reusing the same SA after a tunnel re-establishment causes the local and remote endpoints to disagree on the current sequence number. The anti-replay window then discards legitimate traffic, producing intermittent or sustained packet loss across the tunnel.

The CWE-672 mapping reflects the use of a resource (the Security Association) after its expected lifecycle has been disrupted. The condition is reachable over the network because remote events such as link instability can trigger interface flaps on the affected device.

Root Cause

The defect lies in the tunnel re-establishment path within the IPsec subsystem on hardware-accelerated platforms. EOS fails to invalidate or renegotiate existing SAs after specific reset events, allowing reuse of state that should be considered expired.

Attack Vector

Exploitation requires network adjacency to influence link state or the ability to induce qualifying agent restarts. Once the trigger occurs, sequence number mismatches propagate to the peer, degrading or preventing communication. The CVSS v4.0 metrics indicate impact to confidentiality without requiring authentication or user interaction.

No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.044%.

See the Arista Security Advisory #0134 for technical details on the affected code paths.

Detection Methods for CVE-2026-2379

Indicators of Compromise

  • Unexplained packet loss or one-way traffic across IPsec tunnels following interface flap events
  • Anti-replay drop counters incrementing on IPsec SAs after tunnel re-establishment
  • Tunnel endpoints reporting mismatched outbound and inbound sequence numbers for the same SA
  • IPsec agent restart entries in EOS logs correlated with subsequent tunnel instability

Detection Strategies

  • Correlate Ethernet interface flap events with IPsec SA state transitions in EOS syslog
  • Monitor show ipsec sa counters for sustained replay drops after link recovery
  • Alert on agent restart messages for IPsec-related processes followed by tunnel traffic anomalies
  • Compare sequence number telemetry from both tunnel endpoints to detect desynchronization

Monitoring Recommendations

  • Forward EOS syslog and SNMP traps to a centralized SIEM and build detections for IPsec replay-window drops
  • Track interface flap rates on tunnel-bearing ports and trigger investigation on repeated flaps
  • Baseline IPsec tunnel throughput so deviations after reset events are surfaced quickly
  • Review Arista support advisories regularly for updates to affected release lists

How to Mitigate CVE-2026-2379

Immediate Actions Required

  • Identify all Arista EOS devices with hardware IPsec support and enabled IPsec features
  • Apply the fixed EOS release identified in Arista Security Advisory #0134
  • Stabilize physical links carrying IPsec tunnels and investigate root causes of interface flaps
  • Manually clear and renegotiate affected IPsec SAs if sequence mismatches are observed

Patch Information

Arista has published remediation guidance in Security Advisory #0134. Administrators should consult the advisory for the list of fixed EOS versions corresponding to their hardware platform and upgrade affected devices following Arista's recommended procedure.

Workarounds

  • Disable affected IPsec features on impacted platforms where operationally feasible until patched
  • Manually reset IPsec tunnels after interface flaps or agent restarts to force fresh SA negotiation
  • Reduce interface instability through cabling, optics, and peer-side remediation to limit trigger events
  • Apply the vendor-provided workaround steps documented in the Arista advisory
bash
# Example: manually clear an IPsec Security Association on Arista EOS
# Replace <peer-address> with the affected tunnel peer
clear ipsec sa peer <peer-address>

# Verify SA state and replay counters after re-negotiation
show ipsec sa peer <peer-address> detail

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne