Skip to content
You can now search across every topic, entity and event.What's new
Arista EOS
ProductUS

Arista EOS

Arista EOS (Extensible Operating System) is the network OS running on Arista switches; CVE-2026-7473 affects the 7020R, 7280R and 7500R series.

Last refreshed: 14 June 2026 · Appears in 1 active topic

Key Question

Can a federal deadline force Arista to patch a flaw it has decided is unfixable?

Timeline for Arista EOS

#79 Jun

Ran vulnerable tunnel decapsulation logic across the 7020R, 7280R, and 7500R series

Cybersecurity: Threats and Defences: Arista refuses to patch KEV flaw
View full timeline →
Follow Cybersecurity: Threats and Defences
Common Questions
Why is Arista not patching the CVE-2026-7473 vulnerability?
Arista Networks says a software fix for the tunnel protocol verification flaw would break existing configurations on the 7020R, 7280R, and 7500R series. The company is offering access-control lists as the only mitigation.Source: CISA KEV / Arista advisory
What does CISA KEV status mean for network administrators?
A KEV listing signals active exploitation and requires federal agencies to remediate by the stated deadline. Non-federal organisations are strongly advised to follow the same timeline, even without a legal obligation.Source: CISA
How should organisations protect Arista switches with no patch available?
Arista recommends deploying access-control lists to restrict tunnel decapsulation traffic to authorised sources, and organisations should document compensating controls to satisfy compliance requirements.Source: Arista Networks advisory
Which Arista EOS switch models are affected by the June 2026 vulnerability?
The 7020R, 7280R, and 7500R series are affected by CVE-2026-7473.Source: CISA KEV

Background

Arista EOS (Extensible Operating System) is the network operating system running on Arista Networks' data-centre and campus switching hardware. In June 2026, CISA added CVE-2026-7473, a tunnel protocol verification flaw affecting the 7020R, 7280R, and 7500R series, to the Known Exploited Vulnerabilities catalogue with a 23 June federal remediation deadline. Arista formally confirmed it has no plans to ship a software fix.

Arista EOS powers a significant share of spine and leaf switching in large-scale enterprise and cloud environments. CVE-2026-7473 stems from insufficient validation of tunnel decapsulation headers; Arista's position is that a code fix would break existing configurations, making access-control lists the only available mitigation. This is the second KEV entry in 2026 where federal agencies face a mandatory deadline against a flaw with no vendor patch available, raising questions about the adequacy of KEV compliance mechanisms when a vendor refuses to remediate.

The case is significant for procurement and risk teams: a widely deployed network OS with an unpatched KEV-listed flaw forces a configuration-only mitigation posture indefinitely. Organisations running the affected hardware series must verify ACL coverage and document compensating controls before the federal deadline, regardless of whether they are subject to CISA directives.