CVE-2026-7473

What is Arista EOS?

Arista Extensible Operating System (EOS) is the network operating system powering Arista's data center and campus switching and routing platforms. It is widely deployed in hyperscale data centers, financial institutions, and enterprise networks as a high-performance, programmable alternative to Cisco IOS/NX-OS. Arista switches are commonly used at the network core and distribution layers, making vulnerabilities that allow traffic injection or segmentation bypass especially dangerous in environments with strict east-west isolation requirements.

Overview

CVE-2026-7473 is a hardware ASIC-level tunnel protocol confusion vulnerability in Arista EOS. When a switch is configured for tunnel decapsulation (VXLAN, GRE, or similar), it fails to validate that incoming tunneled traffic uses the expected protocol type. An unauthenticated attacker can send traffic encapsulated in an unexpected tunnel protocol to the switch's decapsulation IP, causing the switch to silently decapsulate and forward the traffic into internal network segments — bypassing network segmentation controls. Arista has confirmed active exploitation and has stated that no software patch is planned due to the hardware nature of the flaw.

Affected Versions

No EOS software version is fixed. All affected hardware versions remain vulnerable; mitigation is ACL-based only.

Technical Details

Arista's R-Series platforms use specific ASIC families that perform tunnel decapsulation in hardware forwarding pipelines. The validation logic is incomplete (CWE-1023: incomplete comparison with missing factors): when the switch is configured to decapsulate traffic destined to a specific IP address (e.g., for VXLAN on UDP/4789), the ASIC matches only on the destination IP and decapsulates any IP-encapsulated protocol arriving at that address — VXLAN, GRE, NVGRE, Geneve, or bare IP-in-IP — regardless of what protocol the switch was configured to accept.

An attacker who can send traffic to the switch's decapsulation IP from an external or untrusted segment can wrap arbitrary payloads in an unexpected tunnel protocol. The switch decapsulates the outer header and forwards the inner payload into the internal network, effectively tunneling past firewall ACLs and VLAN segmentation controls that would otherwise block direct traffic. The CVSS scope metric is "Changed" because the impact crosses from the attacker-reachable segment into the protected internal segment.

Attack characteristics:

• Attack vector: Network (no prior access to protected segment needed)
• Authentication required: None
• User interaction: None
• Impact: Traffic injection into internal network segments (segmentation bypass)

Discovery

Discovered by Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis at Comcast. Reported to Arista; advisory published May 5, 2026.

Exploitation Context

Arista's advisory explicitly states the issue "has been reported as being exploited in the wild." No specific threat actor has been publicly attributed. The primary exploitation impact is network segmentation bypass — an attacker on a less-trusted network segment can inject traffic into segments they should not be able to reach, bypassing firewall and VLAN isolation. This is particularly dangerous in multi-tenant data centers or environments with strict PCI-DSS or government network isolation requirements.

The lack of a software patch makes this a persistent risk for affected hardware that cannot be mitigated purely by software upgrade — only ACL controls or hardware refresh address the underlying issue.

Remediation

No software patch is available or planned. Mitigation is ACL-based only:

1. Option A — Upstream ACLs: On routers or switches upstream of affected devices, apply ACLs permitting only the expected tunnel protocol (e.g., UDP/4789 for VXLAN) destined to the decapsulation IP, and denying all other encapsulated protocols.
2. Option B — Device ACLs on 7020R/7280R/7500R: Apply MAC ACLs at ingress on the affected device to filter unexpected tunnel protocols before they reach the decapsulation pipeline.
3. Option C — Device ACLs on 7280R3/7500R3/7800R3: Apply IPv6 PACLs with TCAM profile modifications to address the IPv6 tunnel scenario per Arista's advisory.
4. Audit tunnel decapsulation configurations and remove any decapsulation endpoints that are not operationally required.
5. Monitor for unexpected traffic crossing segmentation boundaries as a detection control for active exploitation.
6. Hardware refresh to R4-generation ASICs (7020R4, 7280R4, 7500R4, 7700R4, 7800R4) eliminates the vulnerability at the hardware level for organizations planning refresh cycles.