criticalCISA KEVCVE-2026-7473

Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability

Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.

ProductExtensible Operating System
CVSS6.9
EPSS0.00836
UpdatedJuly 9, 2026

Quick answer

Arista Extensible Operating System should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • -

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

Arista EOS is affected by a tunneling and packet decapsulation handling issue. The fix is to install the Arista EOS release specified by the security advisory and verify tunnel, ACL, and routing behavior. Because this affects network forwarding, remediation should include exposure review and post-upgrade packet validation.

  1. Inventory all Arista EOS switches and routers with tunnel decapsulation, VXLAN, GRE, or related forwarding features enabled.
  2. Check the running EOS version against Arista Security Advisory 0137 and mark affected devices.
  3. Upgrade affected devices to the fixed EOS release recommended by Arista.
  4. Review decapsulation IPs, tunnel interfaces, ACLs, VRFs, and route policies for unintended forwarding paths.
  5. Temporarily restrict unexpected tunneled traffic to affected decapsulation addresses until upgrades are complete.
  6. Review flow logs, telemetry, and packet captures for unexpected encapsulated traffic before remediation.
  7. Save known-good configuration and roll back only to a fixed EOS image if operational issues appear.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm every affected device is running a fixed EOS version from the Arista advisory.
  • Validate tunneled packets are handled only by approved tunnel endpoints after the update.
  • Run packet or telemetry checks to confirm unexpected encapsulated traffic is dropped or routed correctly.
  • Review network monitoring for forwarding anomalies after remediation.
  • Document fixed versions and run a Fixnx scan for any public management or network edge exposure.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-7473?

Arista Extensible Operating System versions listed as affected should be reviewed: -.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.