Detections
Analytics
Arista Networks EOS Tunnel Decapsulation Improper Validation (SA0137)
medium Nessus Plugin ID 321106
Synopsis
The Arista Networks EOS device is affected by an incomplete comparison with missing factors vulnerability in its tunnel decapsulation handling.Description
On affected platforms running Arista EOS where a tunnel decapsulation configuration - such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface - is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packets with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.Note that Arista has stated that no software upgrade path or hotfix is planned to address this issue due to the risk of breaking existing configurations. The only remediation is the configuration-based mitigation (ACLs) referenced in the vendor advisory.
Please see the referenced Arista Security Advisory for more information.
Solution
There is no fixed version. Apply the access control list (ACL) mitigations referenced in the vendor advisory to restrict the tunnel protocols accepted at the configured decapsulation IP.See Also
Plugin Details
Severity: Medium
ID: 321106
File Name: arista_eos_sa0137.nasl
Version: 1.1
Type: Combined
Family: Misc.
Published: 6/15/2026
Updated: 6/15/2026
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Medium
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS Score Source: CVE-2026-7473
CVSS v3
Risk Factor: Medium
Base Score: 5.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Vulnerability Information
CPE: cpe:/o:arista:eos
Required KB Items: Host/Arista-EOS/Version, Host/Arista-EOS/model
Vulnerability Publication Date: 5/5/2026
CISA Known Exploited Vulnerability Due Dates: 6/9/2026
Reference Information
CVE: CVE-2026-7473