[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-7473":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-10T17:21:59.993Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":19,"aliases":20,"duplicate_of":9,"upstream":21,"downstream":22,"duplicates":23,"related":24,"reserved_at":9,"published_at":25,"modified_at":26,"state":27,"summary":28,"references_raw":39,"kevs":58,"epss":69,"epss_history":72,"metrics":86,"affected":99},"CVE-2026-7473","On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.\n\n\n\nThis issue has been reported as being exploited in the wild.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-1023","Incomplete Comparison with Missing Factors","The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.","weakness","Incomplete","Class",[],[],[],[],[],[],[],"2026-06-05T16:22:47.989Z","2026-06-10T03:57:41.291Z","Analyzed",{"cisa_kev":29,"cisa_ransomware":30,"cisa_vendor":31,"epss_severity":32,"epss_score":33,"severity":34,"severity_score":35,"severity_version":36,"severity_source":37,"severity_vector":38,"severity_status":27},true,false,"Arista","high",0.22469,"medium",6.9,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",[40,47,52],{"url":41,"sources":42,"tags":44},"https://www.arista.com/en/support/advisories-notices/security-advisory/22872-security-advisory-0137",[37,43],"nvd",[45,46],"Vendor Advisory","Broken Link",{"url":48,"sources":49,"tags":50},"https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137",[37,43],[45,51],"Mitigation",{"url":53,"sources":54,"tags":55},"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473",[37,43],[56,57],"Government Resource","US Government Resource",[59],{"source":60,"vendor":31,"product":61,"date_added":62,"vulnerability_name":63,"short_description":64,"required_action":65,"due_date":66,"known_ransomware_campaign_use":67,"notes":68,"exploitation_type":9},"cisa","Extensible Operating System","2026-06-09","Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability","Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.","Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","2026-06-23","Unknown","https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137 ; https://nvd.nist.gov/vuln/detail/CVE-2026-7473",{"date":70,"score":33,"percentile":71},"2026-06-10",0.95961,[73,77,80,83,85],{"date":74,"score":75,"percentile":76},"2026-06-06",0.00029,0.08716,{"date":78,"score":75,"percentile":79},"2026-06-07",0.08696,{"date":81,"score":75,"percentile":82},"2026-06-08",0.08649,{"date":62,"score":75,"percentile":84},0.08687,{"date":70,"score":33,"percentile":71},[87,95],{"source":37,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":88,"cvss_v4_0":94},{"baseScore":89,"baseSeverity":90,"vectorString":91,"impactScore":92,"exploitabilityScore":93},5.8,"MEDIUM","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",2.3,10,{"baseScore":35,"baseSeverity":90,"vectorString":38,"impactScore":9,"exploitabilityScore":9},{"source":43,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":96,"cvss_v4_0":97},{"baseScore":89,"baseSeverity":90,"vectorString":91,"impactScore":92,"exploitabilityScore":93},{"baseScore":35,"baseSeverity":90,"vectorString":98,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",[100],{"ecosystem":9,"name":101,"vendor":102,"product":103,"cpe_part":104,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":105},"EOS","arista networks","eos","a",[106,109,113,117,121,125,129],{"version":107,"is_range":30,"range_type":37,"version_start":107,"version_start_type":108,"version_end":107,"version_end_type":108,"fixed_in":9},"4.36.0","including",{"version":110,"is_range":29,"range_type":37,"version_start":111,"version_start_type":108,"version_end":112,"version_end_type":108,"fixed_in":9},">= 4.35.0, \u003C= 4.35","4.35.0","4.35",{"version":114,"is_range":29,"range_type":37,"version_start":115,"version_start_type":108,"version_end":116,"version_end_type":108,"fixed_in":9},">= 4.34.0, \u003C= 4.34","4.34.0","4.34",{"version":118,"is_range":29,"range_type":37,"version_start":119,"version_start_type":108,"version_end":120,"version_end_type":108,"fixed_in":9},">= 4.33.0, \u003C= 4.33","4.33.0","4.33",{"version":122,"is_range":29,"range_type":37,"version_start":123,"version_start_type":108,"version_end":124,"version_end_type":108,"fixed_in":9},">= 4.32.0, \u003C= 4.32","4.32.0","4.32",{"version":126,"is_range":29,"range_type":37,"version_start":127,"version_start_type":108,"version_end":128,"version_end_type":108,"fixed_in":9},">= 4.31.0, \u003C= 4.31","4.31.0","4.31",{"version":130,"is_range":29,"range_type":37,"version_start":9,"version_start_type":9,"version_end":131,"version_end_type":108,"fixed_in":9},"\u003C= 4.30","4.30"]