Arista EOS CVE-2026-7473: Patch the KEV Tunnel Decapsulation Bug

Arista EOS CVE-2026-7473 is now in CISA’s Known Exploited Vulnerabilities catalog. CISA added the issue on June 9, 2026, with a due date of June 23, 2026 for covered federal systems. Arista’s advisory and the CVE record describe a tunnel decapsulation issue affecting some EOS platforms when decapsulation features such as VXLAN, decap-groups, or GRE tunnel interfaces are configured.

This matters for hosting providers, SaaS operators, campus networks, and data-center teams because tunnel behavior is often part of tenant isolation, overlay networking, private interconnects, lab fabrics, and routed service paths. If an affected switch handles unexpected tunneled traffic incorrectly, the review needs to include both patching and fabric validation.

This is a protect-only guide. It focuses on inventory, safe update planning, tunnel exposure review, and post-patch verification without publishing packet recipes, lab steps, or traffic patterns that would help someone test against a live switch.

What is affected

The official CVE record lists Arista EOS release families including 4.31.0 through 4.36.0 as affected, and Arista’s advisory is the source of truth for fixed releases, platform notes, and remediation steps. The issue is relevant where tunnel decapsulation configuration is present, such as VXLAN, decap-groups, or GRE tunnel interfaces.

• Arista EOS switches running affected software listed by Arista.
• Switches with VXLAN, GRE, decap-groups, or other decapsulation features enabled.
• Data-center fabrics where overlays support tenant networks, private cloud, Kubernetes, virtualization, storage, backup, or inter-site connectivity.
• Networks where unexpected tunnel processing could cross a trust boundary or confuse traffic isolation assumptions.

What to do now

1. Inventory Arista EOS switches. Include leaf, spine, border, lab, DR, customer-edge, and out-of-band-adjacent devices where EOS is deployed.
2. Find tunnel decapsulation use. Identify VXLAN, GRE, decap-groups, and any design where a switch decapsulates tunneled traffic.
3. Match software to Arista’s advisory. Use the vendor advisory for affected and fixed EOS releases instead of relying on memory or an old image repository.
4. Plan the maintenance path. Back up running/startup configuration, capture interface and routing state, confirm MLAG/EVPN/BGP expectations, and stage the fixed EOS image.
5. Drain carefully where needed. For production fabrics, follow your normal maintenance process for redundant paths, MLAG peers, routing adjacencies, EVPN control plane, and customer communication.
6. Apply the fixed EOS release. Patch the affected switches according to Arista guidance and local change-control requirements.
7. Review exposure after patching. Check whether decapsulation features are still needed, whether tunnel endpoints are restricted, and whether filtering matches the design.

Hosting and data-center notes

If Arista EOS underpins tenant overlays, virtualization networks, backup paths, storage networks, Kubernetes clusters, or customer interconnects, treat this as a fabric maintenance item. The safest window is the one where you can see both the switch health and the services that depend on the overlay.

Do not stop at “the switch is back online.” Verify tenant reachability, routing, EVPN/VXLAN state, GRE dependencies, monitoring, customer paths, and logs. If the design no longer needs a decapsulation feature, removing or narrowing it may reduce future exposure.

Post-patch verification checklist

• Every affected Arista EOS switch reports a fixed release from the Arista advisory.
• VXLAN, GRE, decap-groups, EVPN, MLAG, BGP, routing, and interface state match the expected design.
• Tenant, customer, virtualization, storage, backup, and inter-site paths are tested after the change.
• Tunnel endpoints and decapsulation features are still required and restricted to the intended sources.
• Monitoring, logs, flow data, and alerting show no unexpected tunnel or fabric behavior.
• Configuration backups and change records are updated after the patched image is confirmed.
• Customer or internal teams have been notified if the maintenance affected availability or routing.

Related Fix I.T. Phill reading

• Cisco SD-WAN Manager CVE-2026-20245 patch guide
• HAProxy 3.4 LTS upgrade checklist
• Check Point CVE-2026-50751 VPN patch guide
• How to plan an update window without breaking the site
• How to check backups and restore points

Sources

• CISA Known Exploited Vulnerabilities catalog
• Arista Security Advisory 0137
• Arista Security Advisory 0137 update
• NVD entry for CVE-2026-7473
• Official CVE API record for CVE-2026-7473

Need help planning an Arista EOS patch window or checking whether overlay behavior still matches the design? Fix I.T. Phill can help inventory the switches, prepare the maintenance plan, and verify the fabric after the update.