CVE-2026-7473

216.73.217.22

· Published 05/06/2026 17:17 · Modified 05/06/2026 19:03

Labels: CVE-2026-7473 2026-06-05 CVE-2026-7473 CWE-1023 [email protected]

Essential information

Published: 05/06/2026 17:17
Modified: 05/06/2026 19:03
Author: —
Creator: —
CVSS: 6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
arista / arista eos	`cpe:2.3:o:arista:arista_eos::::::::`
arista / vxlan	`cpe:2.3:a:arista:vxlan::::::::`
arista / gre	`cpe:2.3:a:arista:gre::::::::`