CVE-2026-7473: Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
Summary
Arista Extensible Operating System (EOS) has a vulnerability where it incorrectly decapsulates and forwards unexpected tunneled packets. This occurs when the destination IP of the tunneled packet matches the switch's configured decapsulation IP.
IFF Assessment
This vulnerability could be exploited by attackers to potentially redirect traffic or gain unauthorized access, posing a risk to network security.
Severity
The vulnerability, identified as CVE-2026-7473, involves an incomplete comparison with missing factors. It allows for incorrect packet handling when a switch decapsulates unexpected tunneled traffic with a matching destination IP, which could lead to significant network disruption or compromise.
CISA KEV: Listed as actively exploited. Federal patch due: June 23, 2026. Known ransomware use: Unknown.
Defender Context
Defenders should be aware of this vulnerability in Arista EOS and apply vendor-provided mitigations promptly. Organizations using Arista devices should verify their configurations and monitor network traffic for any anomalies that could indicate exploitation.