Description
On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.
Published: 2026-06-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A specially crafted IPsec packet can cause the Arista EOS dataplane to halt processing of all IPsec traffic. The control plane may attempt to reset the IPsec pipeline, but this reset often fails to resume normal operation, leaving IPsec sessions unusable. Non‑IPsec traffic and IPsec flows that do not involve the affected device continue normally. The flaw involves packet parsing and state management and is classified as a CWE‑1286 denial of service issue.

Affected Systems

Arista Networks EOS devices that have IPsec enabled. The advisory does not specify version numbers, so the vulnerability applies to all EOS releases that support IPsec, regardless of minor or patch version.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity. The EPSS score is not available, and it is not listed in CISA’s KEV catalog. The vector is remote and requires IPsec activation on the target. Once triggered, the denial of service can interrupt business services that depend on IPsec but does not provide privilege escalation or data exfiltration. The impact is limited to IPsec traffic, but the unavailability of cryptographic protection can have significant operational consequences.

Generated by OpenCVE AI on June 5, 2026 at 04:13 UTC.

Remediation

Vendor Solution

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see  https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal . This may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below. switch(config)#hardware tcam switch(config-tcam)#system profile ipsec-egress-padding-removal ! WARNING! Changing TCAM profile will cause forwarding agent(s) to exit and restart. All traffic through the forwarding chip managed by the restarting forwarding agent will be dropped. Proceed [y/n]y switch(config-tcam)#   To ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match ipsec-egress-padding-removal: switch(config-tcam)#show hardware tcam profile                      Configuration            Status FixedSystem          ipsec-egress-padding-removal ipsec-egress-padding-removal   ‘ipsec-egress-padding-removal’ differs from the ‘ipsec’ TCAM profile in two ways: * Egress IP ACLs are disabled * Fixes for BUG603398 and BUG1246592 are applied

Vendor Workaround

There are no mitigations for this vulnerability.

OpenCVE Recommended Actions

  • Upgrade EOS to a remediated release that contains the fix for this issue
  • Apply the TCAM profile ipsec‑egress‑padding‑removal as directed in Arista’s configuration guide
  • If IPsec traffic does not resume after applying the TCAM profile, reboot the device or contact Arista support to troubleshoot residual state issues

Generated by OpenCVE AI on June 5, 2026 at 04:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Arista
Arista eos
Vendors & Products Arista
Arista eos

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.
Title Arista EOS Dataplane Denial of Service via Malformed IPsec Packet
Weaknesses CWE-1286
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Arista Eos
cve-icon MITRE

Status: PUBLISHED

Assigner: Arista

Published:

Updated: 2026-06-05T18:31:35.487Z

Reserved: 2025-08-11T18:28:43.460Z

Link: CVE-2025-8873

cve-icon Vulnrichment

Updated: 2026-06-05T18:31:29.823Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T23:16:48.413

Modified: 2026-06-05T15:02:34.977

Link: CVE-2025-8873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:07:13Z

Weaknesses
  • CWE-1286

    Improper Validation of Syntactic Correctness of Input