Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-7473

CVE-2026-7473: Arista EOS Tunnel DOS Vulnerability

CVE-2026-7473 is a denial of service vulnerability in Arista EOS affecting tunnel decapsulation configurations. Attackers exploit improper protocol verification to process unexpected tunnel traffic. Explore technical details, impact, and mitigations.

Published:

CVE-2026-7473 Overview

CVE-2026-7473 affects Arista EOS platforms configured with tunnel decapsulation features such as Virtual Extensible LAN (VXLAN), decap-groups, or Generic Routing Encapsulation (GRE) tunnel interfaces. The switch fails to verify the tunnel protocol type before processing incoming packets. Any packet with a destination IP matching the configured decapsulation IP is decapsulated and forwarded, regardless of whether its tunnel protocol matches the configured tunnel type. CISA has added this issue to the Known Exploited Vulnerabilities (KEV) catalog, confirming exploitation in the wild against production network infrastructure.

Critical Impact

Remote unauthenticated attackers can inject arbitrary tunneled traffic that bypasses network segmentation by reaching the inner forwarding path of affected Arista switches.

Affected Products

  • Arista EOS (across affected releases)
  • Arista 7280R/R2/R3 series fixed and modular switches
  • Arista 7500R/R2/R3 and 7800R3 series modular routing platforms

Discovery Timeline

  • 2026-06-05 - CVE-2026-7473 published to NVD
  • 2026-06-09 - Last updated in NVD database
  • Reported as exploited in the wild - Added to the CISA Known Exploited Vulnerabilities catalog

Technical Details for CVE-2026-7473

Vulnerability Analysis

The defect is an input validation flaw in the EOS forwarding pipeline, classified under [CWE-1023] (Incomplete Comparison with Missing Factors). When a tunnel decapsulation feature is configured, EOS programs hardware to strip the outer header of packets destined to the configured tunnel termination IP. The decision to decapsulate is based on the destination IP alone. The switch does not validate that the encapsulation protocol matches what was configured. An attacker who can route traffic toward the tunnel endpoint IP can therefore deliver crafted packets of an unrelated tunnel type and have them processed as if they were legitimate tunneled traffic.

Root Cause

The forwarding logic compares the outer destination IP against the configured decapsulation address but omits a check against the expected tunnel protocol identifier. A device configured only for VXLAN will still decapsulate GRE or IP-in-IP packets sent to that same IP, and the inner payload is injected directly into the routing or bridging plane. This breaks the implicit trust boundary that operators rely on when restricting which tunnel types terminate on the switch.

Attack Vector

Exploitation requires no authentication and no user interaction. The attacker sends crafted tunneled packets across the network toward the IP address used by the switch for decapsulation. Because the protocol type is not verified, the inner packet emerges inside the trust zone served by the switch, allowing the attacker to reach internal hosts, bypass access control lists applied at the perimeter, or pivot across VRFs and overlay segments. The attack scales to any reachable Arista device with a tunnel decapsulation configuration enabled.

Detection Methods for CVE-2026-7473

Indicators of Compromise

  • Unexpected GRE, IP-in-IP, or VXLAN packets arriving at switches configured only for a different tunnel type.
  • Inner traffic appearing in internal VLANs or VRFs that has no corresponding outer flow record from authorized tunnel peers.
  • ACL or flow log entries showing traffic sourced from IPs that should only exist behind tunnel endpoints, originating from non-peer routers.

Detection Strategies

  • Inspect tunnel termination IPs with packet capture and correlate the outer protocol against the configured decapsulation type.
  • Compare NetFlow/sFlow exports from upstream routers against expected tunnel peer lists to surface anomalous tunnel protocols hitting the switch.
  • Audit running configurations for interface Tunnel, vxlan, and decap-group stanzas and map each terminating IP to its authorized protocol.

Monitoring Recommendations

  • Forward EOS event-handler and syslog data to a centralized analytics platform to flag unexpected tunnel protocol counters incrementing.
  • Alert on new source IPs reaching tunnel termination addresses outside the documented peer set.
  • Track interface counters for IP-in-IP, GRE, and VXLAN on devices that should only process one of these protocols.

How to Mitigate CVE-2026-7473

Immediate Actions Required

  • Apply the fixed EOS release identified in the Arista Security Advisory #24005 for your hardware platform.
  • Inventory all switches with VXLAN, GRE, or decap-group configuration and prioritize those exposed to untrusted or partner networks.
  • Review the CISA Known Exploited Vulnerabilities entry and follow the remediation deadline applicable to federal civilian agencies as a baseline for private sector timelines.

Patch Information

Arista has published fixed EOS releases in the Arista Security Advisory #22872 and the updated Arista Security Advisory #24005. The patch enforces tunnel protocol type validation alongside the destination IP check during decapsulation. Operators should consult the advisory matrix to select the corrected train for their installed EOS branch.

Workarounds

  • Apply ingress control-plane and data-plane ACLs that permit only the expected tunnel protocol toward the decapsulation IP and drop all others.
  • Restrict reachability of the tunnel termination IP to known peer routers using infrastructure ACLs or uRPF where supported.
  • Where feasible, terminate the tunnel on a loopback IP that is not reachable from untrusted networks and use routing policy to constrain advertisement of that prefix.
bash
# Example ingress ACL restricting traffic to a VXLAN decap endpoint (10.0.0.1)
# Permit only UDP/4789 (VXLAN) from authorized peers; deny other tunnel protocols
ip access-list TUNNEL-DECAP-GUARD
   10 permit udp host 192.0.2.10 host 10.0.0.1 eq 4789
   20 permit udp host 192.0.2.11 host 10.0.0.1 eq 4789
   30 deny gre any host 10.0.0.1
   40 deny 4 any host 10.0.0.1
   50 deny udp any host 10.0.0.1 eq 4789
   60 permit ip any any
!
interface Ethernet1
   ip access-group TUNNEL-DECAP-GUARD in

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne