TP-EXP-2026-0319 CVE-2026-7473 medium Mitigated AI Draft

Arista EOS Tunnel Decapsulation Bypass (CVE-2026-7473)

CVE CVE-2026-7473 Platform Arista Extensible Operating System Type Tunnel Decapsulation Bypass

Severity MEDIUM

Status Mitigated

Zero-Day Confirmed

Disclosed May 5, 2026

Patched May 5, 2026

CISA KEV Listed

Severity Assessment

Exploitability: 8/10 — NVD lists network attack vector, low attack complexity, no privileges required, and no user interaction for affected tunnel endpoint configurations.
Impact: 5/10 — The documented impact is low integrity impact to the vulnerable system and subsequent system, with no confidentiality or availability impact in the CVSS 4.0 and 3.1 metrics.
Weaponization Risk: 7/10 — Arista’s CNA text states that the issue has been reported as exploited in the wild, and CISA added the vulnerability to KEV on 2026-06-09.
Patch Urgency: 8/10 — CISA set a 2026-06-23 required action deadline for covered federal systems.
Detection Coverage: 5/10 — The issue is observable through unexpected tunnel decapsulation behavior and traffic forwarding, but public sources do not provide attacker infrastructure or packet captures.

Summary

CVE-2026-7473 is a medium-severity vulnerability in Arista Extensible Operating System. The flaw affects Arista EOS platforms when tunnel decapsulation is configured, including VXLAN, decap-groups, or GRE tunnel interfaces. NVD and Arista’s CVE description state that affected switches can incorrectly decapsulate and forward unexpected tunneled packets whose destination IP matches the configured decapsulation IP.

The issue is caused by incomplete verification of tunnel protocol type. A device configured to decapsulate one tunnel type may process other tunnel protocols sent to the same decapsulation address, even when those protocols were not explicitly configured. The impact is unexpected processing and forwarding of non-configured tunnel traffic.

CISA added CVE-2026-7473 to the Known Exploited Vulnerabilities catalog on 2026-06-09. CISA lists Arista Extensible Operating System as the affected product, maps the vulnerability to CWE-1023, and sets 2026-06-23 as the required action deadline for covered federal systems. Public sources reviewed here do not identify an actor, campaign, victim set, or ransomware use.

Exploit Chain

Stage 1: Identify an affected tunnel endpoint

The attacker needs a reachable Arista EOS device configured as a tunnel endpoint with a decapsulation IP. Arista’s advisory examples include VXLAN VTEP configurations, GRE tunnel endpoints, and ip decap-group configurations.

Stage 2: Send unexpected tunneled traffic

The attacker sends tunneled packets whose destination IP matches the configured decapsulation IP but whose tunnel protocol type is not the one the switch was configured to decapsulate. NVD describes this as unexpected tunneled traffic that can be processed because the switch does not verify the tunnel protocol type.

Stage 3: Trigger non-configured decapsulation and forwarding

The affected EOS device incorrectly decapsulates and forwards the traffic. This can undermine segmentation assumptions around tunnel endpoints by allowing traffic from an unexpected tunnel protocol to be processed through the configured decapsulation address.

Detection Guidance

Inventory Arista EOS devices configured with VXLAN VTEPs, GRE tunnel interfaces, or decap-groups.
Review tunnel endpoint configuration and identify every configured decapsulation IP address.
Monitor for tunneled packets arriving at a decapsulation IP with a protocol type that does not match the configured tunnel service.
Compare observed tunnel protocol mixes against expected network design; unexpected GRE, VXLAN, NVGRE, GUE, IP-in-IP, or IP-in-IPv6 traffic to decapsulation addresses should be investigated.
Apply Arista’s vendor mitigation or fixed software guidance and follow CISA KEV requirements for covered systems.
Treat CISA’s ransomware-use field as unknown and avoid attributing observed traffic to a named actor without independent evidence.

Indicators of Compromise

No attacker infrastructure, packet captures, or campaign indicators were published in the reviewed sources. The following are behavioral investigation leads:

Non-configured tunnel protocol traffic sent to a known Arista EOS decapsulation IP.
Unexpected decapsulation or forwarding of tunneled packets that do not match configured tunnel type.
GRE, VXLAN, NVGRE, GUE, IP-in-IP, or IP-in-IPv6 traffic patterns inconsistent with the approved tunnel design.
Unexpected inner IPv4 or IPv6 traffic appearing behind a tunnel endpoint after arriving through a non-configured tunnel protocol.
Changes in segmentation or forwarding behavior around Arista EOS tunnel endpoints after exposure to unusual tunneled traffic.

Disclosure Timeline

2026-05-05: Arista advisory published Arista published Security Advisory 0137 describing the tunnel decapsulation issue in Arista EOS.
2026-06-05: NVD publication NVD published CVE-2026-7473 with CVSS 3.1 score 5.8 medium and CVSS 4.0 score 6.9 medium from Arista.
2026-06-09: CISA KEV addition CISA added CVE-2026-7473 to the Known Exploited Vulnerabilities catalog.
2026-06-09: NVD update NVD updated the CVE record with CISA KEV metadata and last-modified information.
2026-06-23: CISA remediation deadline CISA lists 2026-06-23 as the required action deadline for applicable federal civilian executive branch systems.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-06-09
National Vulnerability Database: CVE-2026-7473 — National Vulnerability Database, 2026-06-05
Arista Networks: Security Advisory 0137 — Arista Networks, 2026-05-05