Vulnerability

CVE-2026-7473

Medium· 5.8KEVCVSS5.8EPSS27%

.rules3/5

Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability

Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.

Threat signal

72/100

High

Severity

medium

CVSS

5.8

EPSS

27%

Active

KEV

CISA KEV — actively exploited

10d remaining

AffectedArista — Extensible Operating System

Added to KEV

2026-06-09

Federal patch due (BOD 22-01)

2026-06-23

Required action (CISA verbatim)

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Vendor advisory + references

CISA description: “Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.”

CVSS

v3.1via NVDOpen in FIRST calculator →

5.8/ 10MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Attack VectorNetworkExploitable remotely over the internet — no local access needed.
Attack ComplexityLowNo special conditions — exploit works reliably.
Privileges RequiredNoneUnauthenticated — no credentials needed.
User InteractionNoneFully automated — no victim action needed.
ScopeChangedImpact extends beyond the vulnerable component (e.g. sandbox escape).
Confidentiality ImpactNoneNo confidentiality impact.
Integrity ImpactLowSome data modification; attacker doesn't fully control extent.
Availability ImpactNoneNo availability impact.

EPSS

Exploit prediction · 30-day horizonFIRST.org →

27.2%

probability of exploitation in next 30 days

p97

higher than 97% of all CVEs

3-day trend↑ 4.8pp

Above the FIRST 'patch on a priority schedule' threshold.

Vendor VEX

No VEX statements published for CVE-2026-7473. Vendors publish VEX (Vulnerability Exploitability eXchange) to assert per-product whether a CVE is actually exploitable in their distribution.

SSVCAttend

Active exploitation with limited impact — coordinate patching

exploitation: active
automatable: no
impact: partial
mission: support

Lifecycle

2026-06-09Added to CISA KEVransomware: Unknown
2026-06-09Published
2026-06-09Vendor advisory · cisa-aacisa-adds-three-known-exploited-vulnerabilities-catalog — CISA Adds Three Known Exploited Vulnerabilities to Catalog
2026-06-09Mentioned in rss:cisaCISA Adds Three Known Exploited Vulnerabilities to Catalog
2026-06-12Last modified2 sources
2026-06-23Federal patch due (BOD 22-01)

Entity graph

3 nodes · 2 edges · click to pivot

CVEActorVendor advisoryIOCNews

Vendor advisories

cisa-aacisa-adds-three-known-exploited-vulnerabilities-catalogCISA Adds Three Known Exploited Vulnerabilities to Catalog

Mentions in news & research

rss:cisaCISA Adds Three Known Exploited Vulnerabilities to Catalog3 d ago

References

No source-event history recorded yet. New revisions will appear here as ingestors re-fetch this CVE.