← back
CVE-2026-7473

Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass

CVSS 6.9 MEDIUMEPSS 0.8%● KEVCWE-1023
In short

Arista EOS switches with tunnel decapsulation configured (VXLAN, GRE, etc.) can incorrectly unpack and forward packets that weren't meant for them if the destination IP matches the tunnel's IP, because the switch doesn't check the tunnel protocol type. An attacker could exploit this to bypass network security controls or redirect traffic.

Technical detail

The vulnerability exists in Arista EOS tunnel decapsulation processing where the switch fails to validate the tunnel protocol type before decapsulation. An attacker can craft packets with a destination IP matching the configured tunnel interface but using a different protocol, causing the switch to incorrectly decapsulate and forward them. This leads to bypassing intended tunnel routing policies and potential traffic redirection.

Summary generated and translated by AI from the official description.
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
Affected products
Arista Networks · EOS
public PoCs found1
githubgithub.com/fevar54/CVE-2026-7473---Arista-EOS-Tunnel-Decapsulation-Bypass1
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.arista.com/en/support/advisories-notices/security-advisory/22872-security-advisory-0137https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473