Arista EOS IPsec Tunnel Sequence Number Mismatch via Interface Flaps when Anti-Replay is Disabled
Summary
| CVE | CVE-2026-2379 |
|---|---|
| State | PUBLISHED |
| Assigner | Arista |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-05 18:17:05 UTC |
| Updated | 2026-06-05 19:03:48 UTC |
| Description | On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication. |
Risk And Classification
Primary CVSS: v4.0 8.2 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000440000 probability, percentile 0.137860000 (date 2026-06-11)
Problem Types: CWE-672 | CWE-672 CWE-672: Operation on a Resource after Expiration or Release
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.2 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.2 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Secondary | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | CNA | CVSS | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
PresentPrivileges Required
NoneUser Interaction
NoneConfidentiality
HighIntegrity
NoneAvailability
NoneSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Arista Networks | EOS | affected 4.34.0 4.34.3M custom | 7280R3 Series with IPsec (DCS-7280SR3AK, DCS-7280SR3AM, DCS-7280CR3AK, DCS-7280CR3AM, DCS-7280CR3MK, DCS-7280DR3AK, DCS-7280DR3AM, DCS-7289R3AK-SC, DCS-7289R3AM-SC), 7800R3 Series with IPsec (7800R3A-36DM-LC, 7800R3AK-36DM-LC, 7800R3A-36PM-LC, 7800R3AK-36PM-LC, 7800R3A-36DM2-LC, 7800R3AK-36DM2-LC), AWE 7000 Series with IPsec (AWE-7250R-16S-F, AWE-7230R-4TX-4S-F, AWE-7220RP-5TH-2S-F), AWE 5000 Series with IPsec (AWE-5510, AWE-5310), CloudEOS VM |
| CNA | Arista Networks | EOS | affected 4.33.0M 4.33.5M custom | 7280R3 Series with IPsec (DCS-7280SR3AK, DCS-7280SR3AM, DCS-7280CR3AK, DCS-7280CR3AM, DCS-7280CR3MK, DCS-7280DR3AK, DCS-7280DR3AM, DCS-7289R3AK-SC, DCS-7289R3AM-SC), 7800R3 Series with IPsec (7800R3A-36DM-LC, 7800R3AK-36DM-LC, 7800R3A-36PM-LC, 7800R3AK-36PM-LC, 7800R3A-36DM2-LC, 7800R3AK-36DM2-LC), AWE 7000 Series with IPsec (AWE-7250R-16S-F, AWE-7230R-4TX-4S-F, AWE-7220RP-5TH-2S-F), AWE 5000 Series with IPsec (AWE-5510, AWE-5310), CloudEOS VM |
| CNA | Arista Networks | EOS | affected 4.32.0M 4.32.7M custom | 7280R3 Series with IPsec (DCS-7280SR3AK, DCS-7280SR3AM, DCS-7280CR3AK, DCS-7280CR3AM, DCS-7280CR3MK, DCS-7280DR3AK, DCS-7280DR3AM, DCS-7289R3AK-SC, DCS-7289R3AM-SC), 7800R3 Series with IPsec (7800R3A-36DM-LC, 7800R3AK-36DM-LC, 7800R3A-36PM-LC, 7800R3AK-36PM-LC, 7800R3A-36DM2-LC, 7800R3AK-36DM2-LC), AWE 7000 Series with IPsec (AWE-7250R-16S-F, AWE-7230R-4TX-4S-F, AWE-7220RP-5TH-2S-F), AWE 5000 Series with IPsec (AWE-5510, AWE-5310), CloudEOS VM |
| CNA | Arista Networks | EOS | affected 4.31.0M 4.31.9M custom | 7280R3 Series with IPsec (DCS-7280SR3AK, DCS-7280SR3AM, DCS-7280CR3AK, DCS-7280CR3AM, DCS-7280CR3MK, DCS-7280DR3AK, DCS-7280DR3AM, DCS-7289R3AK-SC, DCS-7289R3AM-SC), 7800R3 Series with IPsec (7800R3A-36DM-LC, 7800R3AK-36DM-LC, 7800R3A-36PM-LC, 7800R3AK-36PM-LC, 7800R3A-36DM2-LC, 7800R3AK-36DM2-LC), AWE 7000 Series with IPsec (AWE-7250R-16S-F, AWE-7230R-4TX-4S-F, AWE-7220RP-5TH-2S-F), AWE 5000 Series with IPsec (AWE-5510, AWE-5310), CloudEOS VM |
| CNA | Arista Networks | EOS | affected 4.30.0F 4.31.0 custom | 7280R3 Series with IPsec (DCS-7280SR3AK, DCS-7280SR3AM, DCS-7280CR3AK, DCS-7280CR3AM, DCS-7280CR3MK, DCS-7280DR3AK, DCS-7280DR3AM, DCS-7289R3AK-SC, DCS-7289R3AM-SC), 7800R3 Series with IPsec (7800R3A-36DM-LC, 7800R3AK-36DM-LC, 7800R3A-36PM-LC, 7800R3AK-36PM-LC, 7800R3A-36DM2-LC, 7800R3AK-36DM2-LC), AWE 7000 Series with IPsec (AWE-7250R-16S-F, AWE-7230R-4TX-4S-F, AWE-7220RP-5TH-2S-F), AWE 5000 Series with IPsec (AWE-5510, AWE-5310), CloudEOS VM |
| CNA | Arista Networks | EOS | affected 4.29.0F 4.30.0 custom | 7280R3 Series with IPsec (DCS-7280SR3AK, DCS-7280SR3AM, DCS-7280CR3AK, DCS-7280CR3AM, DCS-7280CR3MK, DCS-7280DR3AK, DCS-7280DR3AM, DCS-7289R3AK-SC, DCS-7289R3AM-SC), 7800R3 Series with IPsec (7800R3A-36DM-LC, 7800R3AK-36DM-LC, 7800R3A-36PM-LC, 7800R3AK-36PM-LC, 7800R3A-36DM2-LC, 7800R3AK-36DM2-LC), AWE 7000 Series with IPsec (AWE-7250R-16S-F, AWE-7230R-4TX-4S-F, AWE-7220RP-5TH-2S-F), AWE 5000 Series with IPsec (AWE-5510, AWE-5310), CloudEOS VM |
| CNA | Arista Networks | EOS | affected 4.28.0F 4.29.0 custom | 7280R3 Series with IPsec (DCS-7280SR3AK, DCS-7280SR3AM, DCS-7280CR3AK, DCS-7280CR3AM, DCS-7280CR3MK, DCS-7280DR3AK, DCS-7280DR3AM, DCS-7289R3AK-SC, DCS-7289R3AM-SC), 7800R3 Series with IPsec (7800R3A-36DM-LC, 7800R3AK-36DM-LC, 7800R3A-36PM-LC, 7800R3AK-36PM-LC, 7800R3A-36DM2-LC, 7800R3AK-36DM2-LC), AWE 7000 Series with IPsec (AWE-7250R-16S-F, AWE-7230R-4TX-4S-F, AWE-7220RP-5TH-2S-F), AWE 5000 Series with IPsec (AWE-5510, AWE-5310), CloudEOS VM |
| CNA | Arista Networks | EOS | affected 4.27.1F 4.28.0 custom | 7280R3 Series with IPsec (DCS-7280SR3AK, DCS-7280SR3AM, DCS-7280CR3AK, DCS-7280CR3AM, DCS-7280CR3MK, DCS-7280DR3AK, DCS-7280DR3AM, DCS-7289R3AK-SC, DCS-7289R3AM-SC), 7800R3 Series with IPsec (7800R3A-36DM-LC, 7800R3AK-36DM-LC, 7800R3A-36PM-LC, 7800R3AK-36PM-LC, 7800R3A-36DM2-LC, 7800R3AK-36DM2-LC), AWE 7000 Series with IPsec (AWE-7250R-16S-F, AWE-7230R-4TX-4S-F, AWE-7220RP-5TH-2S-F), AWE 5000 Series with IPsec (AWE-5510, AWE-5310), CloudEOS VM |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.arista.com/en/support/advisories-notices/security-advisory/23419-securit... | [email protected] | www.arista.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see: EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades CVE-2026-2379 has been fixed in the following releases: * 4.35.0F and later releases in the 4.35.x train * 4.34.4M and later releases in the 4.34.x train * 4.33.6M and later releases in the 4.33.x train * 4.32.8M and later releases in the 4.32.x train * 4.31.10M and later releases in the 4.31.x train
Workarounds
CNA: There is no known mitigation for CVE-2026-2379. The recommended resolution is to upgrade to a remediated software version at your earliest convenience.
There are currently no legacy QID mappings associated with this CVE.