← Back to Blog
Zero-DayCISAKEVNetwork SecurityData Security

Arista EOS CVE-2026-7473 Forwards Untrusted Tunnel Traffic. The Fabric Is Not the Boundary.

Lattix branded cover for Arista EOS CVE-2026-7473. /40 section number, June 2026 KEV disclosure date, CVSS 6.9 no-patch statistic, IBM Plex Mono on dark grid background, surgical yellow accent on the object-level PEP in a network-fabric-to-data flow strip.

Arista Networks confirmed in June 2026 that CVE-2026-7473, a tunnel decapsulation flaw in the Arista Extensible Operating System (EOS), was exploited as a zero-day. On a switch configured as a tunnel decapsulation endpoint, the operating system does not verify the tunnel protocol type before it decapsulates a packet. A switch with a decapsulation IP configured through VXLAN, a GRE tunnel interface, or a decap-group decapsulates and forwards attacker-crafted tunneled traffic whose outer destination IP matches the configured decapsulation address. It carries a CVSS score of 6.9. The Cybersecurity and Infrastructure Security Agency added it to the Known Exploited Vulnerabilities catalog on June 9, 2026 and set a Federal Civilian Executive Branch remediation deadline of June 23, 2026 under Binding Operational Directive 22-01.

Arista will not ship a software fix. The vendor published Security Advisory 0137 with mitigation guidance and stated that no patch or hotfix is planned, because a code change would disrupt tunnel decapsulation behavior in deployed networks. The standard response to a KEV entry is to patch first and address the architecture afterward. For CVE-2026-7473 there is no patch to apply. The remediation is a configuration change on the affected switches and a decision about what the network fabric is trusted to do.

The tunnel endpoint forwards traffic it should drop

A tunnel decapsulation endpoint strips the outer header from an encapsulated packet and forwards the inner packet toward its destination. The configuration is common in data center and campus fabrics, where VXLAN carries Layer 2 segments across a Layer 3 underlay and GRE carries traffic between sites. CVE-2026-7473 removes the check that the decapsulated traffic belongs to a configured tunnel. The switch accepts and forwards any tunneled packet whose outer destination matches its decapsulation IP, including traffic an attacker injects from outside the intended tunnel.

The result is an injection path into segments the fabric isolates. An attacker who routes a crafted packet to the decapsulation IP reaches the inner network without holding any credential the segmentation model assumes. The switch enforces the boundary between segments, and the flaw subverts the switch.

The fabric is the transport, not the trust boundary

Network segmentation, identity-bound mutual TLS, and microsegmentation place the enforcement decision inside the network fabric. When the fabric forwards traffic it should drop, those controls inherit the failure. The segment boundary is only as strong as the switch that draws it, and CVE-2026-7473 is a switch that draws it incorrectly with no fix forthcoming.

Data-centric zero trust moves the enforcement decision off the network and onto the data object. Lattix Technologies binds policy to the object through attribute-based access control (ABAC) at the policy enforcement point (PEP), wraps the object under post-quantum key encapsulation with ML-KEM-768 and ML-KEM-1024, and records every release decision as Merkle-tree lineage in content-addressed storage (CAS-X). A packet that reaches an interior segment through the decapsulation flaw arrives at a transport layer, not at the authority that releases keys. The policy decision point (PDP) evaluates an attribute claim the network position does not satisfy, and a request that cannot satisfy policy fails closed.

When the vendor will not patch

Most KEV entries assume a patch exists and the operational problem is deployment latency. CVE-2026-7473 inverts that. The mitigation is to remove or constrain the tunnel decapsulation configuration, which is a network design change rather than an update, and the underlying behavior stays in the operating system. Networks that depend on tunnel decapsulation carry the risk for as long as the configuration stays in place.

This is the condition data-centric architecture addresses directly. The object enforces its own policy whether the fabric forwards correctly or not. The decapsulation flaw becomes a reachability problem on the transport, not a release of the data, because the release decision never depended on the switch.

The evidence question for cross-segment data

After a fabric injection, the response team has to determine what an attacker reached across the exposed segments. Flow logs and switch telemetry are evidence of uncertain integrity once the fabric is the compromised component.

Merkle-tree lineage answers the question from outside the network. The chain records every release decision the PEP made and anchors it in content-addressed storage the fabric cannot rewrite. The team queries the chain for releases during the incident window. Objects that released surface as entries, and objects the attacker never obtained a release for surface as the absence of an entry. The breach-notification scope rests on that record rather than on telemetry the attacker's position could reach.

How the architecture maps to standards

NIST SP 800-207 places the policy decision point outside the systems it governs, which is the property that keeps a fabric compromise out of the policy decision. The CISA Zero Trust Maturity Model 2.0 scores the data pillar separately from the network pillar, so a segmented network does not raise the data-pillar score. CISA Binding Operational Directive 22-01 makes KEV remediation binding on federal civilian agencies and sets the June 23 deadline. The DoD Zero Trust Strategy assigns data its own pillar with target-level activities that network segmentation does not satisfy.

What teams should do before the deadline

The first action is the configuration change. Apply the mitigation in Arista Security Advisory 0137, audit every switch for a decapsulation IP configured through VXLAN, GRE, or a decap-group, and constrain decapsulation to the tunnels that require it. The June 23 deadline binds federal civilian agencies and there is no patch to wait for.

The second action is the architecture question the mitigation does not close. Inventory the data that crosses segments the tunnel fabric isolates, and identify where that data exists in the clear on the wire. Object-level cryptographic enforcement, with the keys and the policy decision held off the network, converts the next fabric flaw into a transport reachability problem rather than an exposure of the data.

References