"On affected platforms running Arista EOS where a tunnel decapsulation configuration - such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface - is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packets with a destination IP matching its configured decapsulation IP," Arista said.
CISA adds three CVEs to the KEV catalog after reports of active exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation. The additions are: CVE-2026-20245 in Cisco Catalyst SD-WAN Manager (CVSS 7.8); CVE-2026-11645 in Google Chrome V8 (CVSS 8.8); and CVE-2026-7473 in Arista Extensible Operating System (EOS) (CVSS 6.9). Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the necessary fixes or mitigations by June 23, 2026.
CVE-2026-20245 — Cisco Catalyst SD-WAN Manager (local, authenticated)
CVE-2026-20245, rated CVSS 7.8, is an improper encoding or escaping of output vulnerability in Cisco Catalyst SD-WAN Manager. According to the advisory, an authenticated, local attacker could execute arbitrary commands as root by supplying a crafted file to the affected system. The KEV listing follows reports of active exploitation and places this flaw among those CISA considers known to be abused in the wild.
CVE-2026-11645 — Google Chrome V8 (remote, crafted HTML)
CVE-2026-11645, scored 8.8, is an out-of-bounds read and write vulnerability in the Google Chrome V8 JavaScript engine. The advisory explains a remote attacker could execute arbitrary code inside a sandbox by delivering a crafted HTML page. CISA added the issue to the KEV catalog after reports that the vulnerability is being actively exploited.
CVE-2026-7473 — Arista EOS decapsulation flaw; vendor says no patch planned
CVE-2026-7473 (CVSS 6.9) arises from an "incomplete comparison with missing factors" that can cause Arista EOS to process non-configured tunnel traffic. Arista detailed that when a device is configured as a tunnel endpoint with a decapsulation IP — for example, as a VXLAN VTEP, a GRE tunnel endpoint, or with an IP decap-group — the switch may not verify the tunnel protocol type and can therefore incorrectly decapsulate and forward unexpected tunneled packets whose destination IP matches its configured decapsulation IP.
Arista identified the primarily impacted hardware as its 7020R, 7280R/R2, and 7500R/R2 series products, and acknowledged the vulnerability "has been reported as being exploited in the wild." The company credited Comcast's Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis for responsibly disclosing the issue.
Crucially, Arista stated that it is not planning to issue patches to address CVE-2026-7473, citing risks that doing so could break existing configurations in deployed environments. Instead, the company laid out mitigation guidance.
How Arista, FCEB agencies, and network operators are responding
- Arista: The vendor has recommended two broad mitigation approaches: (1) apply access control lists (ACLs) on upstream devices; or (2) apply ACLs on the devices where the unexpected decapsulation is occurring. Arista summarized the objective as either selectively allowing only legitimate tunnel traffic or selectively blocking malicious tunnel traffic.
- Federal Civilian Executive Branch agencies: CISA has ordered FCEB agencies to apply fixes or mitigations for the three KEV-listed vulnerabilities by June 23, 2026.
- Network operators and administrators: For successful exploitation of the Arista issue, devices must be configured as tunnel endpoints with a decapsulation IP; operators should therefore prioritize auditing tunnel endpoint configurations and implementing the ACL-based mitigations Arista described where patching is not available or not planned.
The addition of these three CVEs to CISA's KEV catalog signals active exploitation that federal agencies and network operators must address within a narrow window. For Arista customers, the combination of an acknowledged in-the-wild exploit, a limited set of affected platforms (7020R, 7280R/R2, 7500R/R2), and the vendor's decision not to patch heightens reliance on careful configuration review and ACL-based controls. CISA's June 23 directive establishes a concrete compliance deadline for FCEB agencies; whether enterprises outside the federal civilian space will adopt the same urgency remains a practical question for network operators and procurement teams.
