Exposures › CVE-2026-7473
Arista EOS misdecapsulates tunneled packets due to an incomplete comparison vulnerability, enabling attackers to bypass security controls and potentially execute code on network devices.
This vulnerability allows attackers to exploit EOS switches by sending malformed tunneled packets that bypass decapsulation checks, potentially leading to remote code execution on network infrastructure. Defense-industrial-base organizations must patch immediately to prevent unauthorized access to critical network devices, as this could compromise the confidentiality and integrity of sensitive data in transit.
Shame score — Arista shipped a network OS with a critical security flaw that was actively exploited in the wild, indicating a failure to adequately secure their widely-deployed product.
Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.
No correlated FedRAMP products.