Description
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.



This issue has been reported as being exploited in the wild.
Published: 2026-06-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

On Arista EOS devices that have a tunnel decapsulation configuration—such as VXLAN, decap-groups, or GRE interfaces—the switch incorrectly treats any tunneled packet whose destination IP matches the configured decapsulation IP as a valid tunnel, regardless of protocol. As a result, packets bearing an unexpected tunnel type can be decapsulated and forwarded into the switch’s routing tables. The primary impact is the potential injection of arbitrary traffic into the network, which could be used for reconnaissance, traffic hijacking, or denial of service if the payload carries malicious content.

Affected Systems

Affected platforms are any Arista Networks EOS switches configured with tunnel decapsulation. The advisory indicates that the issue is present on all EOS releases where such decapsulation is implemented. No specific version range is listed, so any current or recent release with this feature is likely affected.

Risk and Exploitability

The CVSS score of 6.9 places this vulnerability in the moderate range. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread, automated exploitation detected. However, the advisory states the issue has been exploited in the wild, implying that attackers can remotely craft tunneling traffic to a decapsulation IP from outside the device. The attack vector is inferred to be a network‑layer threat, as an adversary can send crafted packets to the IP address configured for decapsulation. The lack of protocol validation permits the switch to forward non‑configurable tunnel traffic, increasing the risk of data exfiltration or traffic diversion.

Generated by OpenCVE AI on June 5, 2026 at 17:20 UTC.

Remediation

Vendor Solution

No software upgrade path is planned to address this issue due to the risk of breaking existing configuration on deployments. The recommended resolution of this issue is to follow the appropriate mitigation instructions detailed in the workaround block.

Vendor Workaround

There are two broad approaches to mitigate this issue - (1) applying ACLs on upstream devices or (2) applying ACLs on the devices where the unexpected decapsulation is happening. In both cases, the idea is to either selectively allow only legitimate tunnel traffic or to selectively block malicious tunnel traffic. For example, if a network is configured to forward VXLAN traffic, but GRE traffic is being unexpectedly forwarded, then ACLs can be used to either selectively allow just VXLAN traffic or selectively block GRE traffic. More details about using the ACL feature can be found in the  Arista User Manual https://www.arista.com/en/um-eos/eos-acls-and-route-maps#xx1150869 . A note of caution, the following ACL-based mitigation recommendations assume that the tunnel IP is dedicated solely to receiving the configured tunnel protocol traffic. When adapting these rules for your environment, it is important to explicitly permit any additional protocol traffic—such as BGP or SSH—if that IP serves multiple functions. To maintain connectivity, ensure these permit statements are sequenced before any deny statements directed at the decapsulation IP. The following configurations align with the recommendations outlined in the  Arista EOS Hardening Guide https://arista.my.site.com/AristaCommunity/s/article/arista-eos-hardening-guide#Comm_Kna_ka0Uw00000097VJIAY_71 .

OpenCVE Recommended Actions

  • Implement ACLs on upstream devices to allow only the intended tunnel protocol (e.g., VXLAN) and block all other tunneled traffic to the decapsulation IP.
  • On the EOS device performing decapsulation, configure ACLs (IP or MAC depending on the platform) to permit only the expected tunnel protocol and drop any other protocols addressed to the decapsulation IP.
  • If the switch supports MAC ACLs or IPv6 PACLs, create the necessary UDF or packet class definitions and update the TCAM profile as described in the Arista User Manual and Hardening Guide to enforce the protocol restrictions.

Generated by OpenCVE AI on June 5, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.
Title Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass
Weaknesses CWE-1023
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Arista

Published:

Updated: 2026-06-05T16:22:47.989Z

Reserved: 2026-04-29T20:08:22.118Z

Link: CVE-2026-7473

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T17:17:02.850

Modified: 2026-06-05T19:03:48.933

Link: CVE-2026-7473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T17:30:45Z

Weaknesses