External risk intelligence

Arista EOS Tunnel Decapsulation Packet Forwarding Vulnerability

CVE advisoryKnown Exploit

CVE-2026-7473

On affected Arista EOS platforms with tunnel decapsulation configured, a vulnerability allows the switch to forward unexpected tunneled traffic. This occurs because the switch does not verify the tunnel protocol type when decapsulating packets, potentially leading to the processing of unintended traffic. This issue is

2Halo Surface Signal

Arista Eos

External exposure likelihood

Halo Surface Signal score for CVE-2026-7473

The vulnerability affects network tunnel decapsulation (VXLAN, GRE) on Arista network switches. These functions are typically deployed within core or aggregation infrastructure behind organizational network boundaries, rather than being directly exposed to the public internet. While reachable over a network, this configuration is not a common internet-facing edge service.

PCI scan relevance

PCI Relevance for CVE-2026-7473

Yes

CVE-2026-7473 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Arista EOS vulnerability allows unexpected tunnel traffic processing, which could bypass network segmentation and potentially lead to an ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Arista network switches could allow unauthorized traffic to be processed if certain tunneling configurations are active. This issue has reportedly been exploited in the wild.

  • Switches may process unexpected tunnel traffic.
  • Exploitation is occurring, confirming relevance is key.
  • Verify exposure on any active tunneling configurations.

Attack Path

How an attacker could exploit the issue

An attacker could target network switches that are configured to handle tunneled traffic, such as VXLAN or GRE. If a switch is set up to decapsulate specific tunnel types, it might improperly process other unexpected tunneled packets that share the same destination IP. This could lead to the switch forwarding unintended traffic, potentially exposing network segments or services. This issue is reported to be exploited in the wild.

  • Network access to configured decapsulation IP.
  • Sending unexpected tunneled packets.
  • Compromised network traffic forwarding.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unexpected tunneled traffic to be processed by network switches when tunnel decapsulation is configured. This might happen when a switch incorrectly forwards packets with a destination IP that matches its configured decapsulation IP, even if the tunnel protocol type is not verified.

  • Network switch forwarding behavior.
  • Unexpected tunnel traffic processing.
  • Potential for network disruptions.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Infrastructure and network teams are likely responsible for addressing this vulnerability on Arista switches. The first practical step is to identify all affected Arista devices, confirm which ones are configured for tunnel decapsulation, and assess their business criticality and network exposure. Once ownership is confirmed, a remediation plan can be developed, potentially involving vendor coordination for updates or configuration changes.

  • Network infrastructure owners.
  • Verify tunnel decapsulation configurations.
  • Plan vendor-supported remediation.

Frequently asked questions

What is Arista EOS?

Arista Extensible Operating System (EOS) is the networking software that powers Arista’s high-performance switches. These devices act as the traffic controllers for enterprise data centers and cloud networks, managing how data moves across different segments by using technologies like VXLAN and GRE tunnels to bridge virtual and physical network environments.

What is the CVE-2026-7473 vulnerability?

This is an Incomplete Comparison with Missing Factors flaw (CWE-1023). It means the software fails to properly check the tunnel protocol type when receiving packets. Because it looks only at the destination IP address rather than the specific tunnel protocol, the switch can be tricked into decapsulating and forwarding unauthorized or unexpected traffic that it was not intended to process.

How is this tunnel vulnerability triggered?

The issue is triggered when a switch configured for tunnel decapsulation receives a packet that matches its configured destination IP. Importantly, this does not occur on switches that lack tunnel decapsulation configurations such as VXLAN or GRE. It is the presence of these specific tunnel interfaces combined with the switch's logic error that allows the unintended processing of packets.

Is my device affected by this vulnerability?

According to Halo Surface Signal, this vulnerability impacts network core or aggregation infrastructure. Because these functions are typically managed deep within private network boundaries rather than on public-facing edge services, the likelihood of direct internet exposure is generally low. However, internal reachability still warrants review if you rely on Arista EOS tunnel configurations.

What should I do to address CVE-2026-7473?

First, audit your network configuration to determine if your Arista switches are actively using VXLAN, GRE, or other decapsulation groups. If these features are in use, consult the official security advisory from Arista for verified guidance. Apply the recommended software updates or configuration changes provided by the vendor to ensure the switch correctly validates the tunnel protocol type.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified