CVE-2026-7473 — Arista EOS tunnel-decapsulation logic flaw bypasses segmentation, added to CISA KEV

Arista EOS contains an incomplete-comparison flaw (CWE-1023) in its tunnel-decapsulation logic: where a VXLAN, decap-group or GRE decapsulation config is present, the switch decapsulates and forwards tunneled packets whose destination IP matches the configured decap IP even from unexpected sources, letting an attacker inject traffic into a VXLAN fabric and bypass network segmentation; CISA added CVE-2026-7473 to its KEV catalog on 9 June (Arista, 2026-06-09). Relevant to datacenter-fabric operators in CH/EU finance and government. Apply Arista SA-0137 and add decap source-IP validation/access-lists on VTEP interfaces (T1599.001).