Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-7473
StatePUBLISHED
AssignerArista
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-05 17:17:02 UTC
Updated2026-06-09 20:48:49 UTC
DescriptionOn affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.

Risk And Classification

Primary CVSS: v4.0 6.9 MEDIUM from [email protected]

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.003780000 probability, percentile 0.293950000 (date 2026-06-22)

CISA KEV: Listed on 2026-06-09; due 2026-06-23; ransomware use Unknown

Problem Types: CWE-1023 | CWE-1023 CWE-1023: Incomplete Comparison with Missing Factors

VersionSourceTypeScoreSeverityVector
4.0[email protected]Secondary6.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/C...
4.0CNACVSS6.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
3.1[email protected]Secondary5.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
3.1CNACVSS5.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CVSS v4.0 Breakdown

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
Low
Availability
None
Sub Conf.
None
Sub Integrity
Low
Sub Availability
None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CISA Known Exploited Vulnerability

VendorArista
ProductExtensible Operating System
NameArista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
Required ActionApply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Noteshttps://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137 ; https://nvd.nist.gov/vuln/detail/CVE-2026-7473

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Hardware Arista 7020sr-24c2 - All All All
Hardware Arista 7020sr-32c2 - All All All
Hardware Arista 7020srg-24c2 - All All All
Hardware Arista 7020tr-48 - All All All
Hardware Arista 7020tra-48 - All All All
Hardware Arista 7280cr-48 - All All All
Hardware Arista 7280cr2-60 - All All All
Hardware Arista 7280cr2a-30 - All All All
Hardware Arista 7280cr2a-60 - All All All
Hardware Arista 7280cr2k-30 - All All All
Hardware Arista 7280cr2k-60 - All All All
Hardware Arista 7280cr2m-30 - All All All
Hardware Arista 7280cr3-32d4 - All All All
Hardware Arista 7280cr3-32p4 - All All All
Hardware Arista 7280cr3-36s - All All All
Hardware Arista 7280cr3-96 - All All All
Hardware Arista 7280cr3a-24d12 - All All All
Hardware Arista 7280cr3a-48d6 - All All All
Hardware Arista 7280cr3a-72 - All All All
Hardware Arista 7280cr3ak-24d12 - All All All
Hardware Arista 7280cr3ak-48d6 - All All All
Hardware Arista 7280cr3ak-72 - All All All
Hardware Arista 7280cr3am-24d12 - All All All
Hardware Arista 7280cr3am-48d6 - All All All
Hardware Arista 7280cr3am-72 - All All All
Hardware Arista 7280cr3mk-32d4s - All All All
Hardware Arista 7280cr3mk-32p4s - All All All
Hardware Arista 7280dr3-24 - All All All
Hardware Arista 7280dr3a-36 - All All All
Hardware Arista 7280dr3a-54 - All All All
Hardware Arista 7280dr3ak-36 - All All All
Hardware Arista 7280dr3ak-54 - All All All
Hardware Arista 7280dr3am-36 - All All All
Hardware Arista 7280dr3am-54 - All All All
Hardware Arista 7280pr3-24 - All All All
Hardware Arista 7280qr-c36 - All All All
Hardware Arista 7280qr-c36-m - All All All
Hardware Arista 7280qr-c72 - All All All
Hardware Arista 7280qra-c36s - All All All
Hardware Arista 7280qra-c36sm - All All All
Hardware Arista 7280sr-48c6 - All All All
Hardware Arista 7280sr2-48yc6 - All All All
Hardware Arista 7280sr2-48yc6-m - All All All
Hardware Arista 7280sr2a-48yc6 - All All All
Hardware Arista 7280sr2a-48yc6-m - All All All
Hardware Arista 7280sr2k-48c6-m - All All All
Hardware Arista 7280sr3-40yc6 - All All All
Hardware Arista 7280sr3-48yc8 - All All All
Hardware Arista 7280sr3m-48yc8 - All All All
Hardware Arista 7280sra-48c6 - All All All
Hardware Arista 7280sra-48c6-m - All All All
Hardware Arista 7280sram-48c6 - All All All
Hardware Arista 7280srm-40cx2 - All All All
Hardware Arista 7280tr-48c6 - All All All
Hardware Arista 7280tr3-40c6 - All All All
Hardware Arista 7280tra-48c6 - All All All
Hardware Arista 7280tra-48c6-m - All All All
Hardware Arista 7289r3a-sc - All All All
Hardware Arista 7289r3ak-sc - All All All
Hardware Arista 7289r3am-sc - All All All
Hardware Arista 7500r-36cq-lc - All All All
Hardware Arista 7500r-36q-lc - All All All
Hardware Arista 7500r-48s2cq-lc - All All All
Hardware Arista 7500r-8cfpx-lc - All All All
Hardware Arista 7500r2-36cq-lc - All All All
Hardware Arista 7500r2a-36cq-lc - All All All
Hardware Arista 7500r2ak-36cq-lc - All All All
Hardware Arista 7500r2ak-48ycq-lc - All All All
Hardware Arista 7500r2am-36cq-lc - All All All
Hardware Arista 7500r2m-36cq-lc - All All All
Hardware Arista 7500r3-24d - All All All
Hardware Arista 7500r3-24p - All All All
Hardware Arista 7500r3-36cq - All All All
Hardware Arista 7500r3k-36cq - All All All
Hardware Arista 7500r3k-48y4d - All All All
Hardware Arista 7500rm-36cq-lc - All All All
Hardware Arista 7504r-fm - All All All
Hardware Arista 7504r3 - All All All
Hardware Arista 7508r-fm - All All All
Hardware Arista 7508r3 - All All All
Hardware Arista 7512r-fm - All All All
Hardware Arista 7512r3 - All All All
Hardware Arista 7516-sup2 - All All All
Hardware Arista 7516n-ch - All All All
Hardware Arista 7516r-fm - All All All
Hardware Arista 7800r3-36d - All All All
Hardware Arista 7800r3-48cq - All All All
Hardware Arista 7800r3a-36d - All All All
Hardware Arista 7800r3a-36dm - All All All
Hardware Arista 7800r3a-36p - All All All
Hardware Arista 7800r3a-36pm - All All All
Hardware Arista 7800r3ak-36dm - All All All
Hardware Arista 7800r3ak-36pm - All All All
Hardware Arista 7800r3k-48cq - All All All
Hardware Arista 7800r3k-48cqms - All All All
Hardware Arista 7800r3k-72y - All All All
Hardware Arista 7804r3 - All All All
Hardware Arista 7808r3 - All All All
Hardware Arista 7812r3 - All All All
Hardware Arista 7816lr3 - All All All
Hardware Arista 7816r3 - All All All
Operating System Arista Eos All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Arista Networks EOS affected 4.36.0 custom 7020R Series, 7280R/R2 Series, 7500R/R2 Series, 7280R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7500R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7800R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)
CNA Arista Networks EOS affected 4.35.0 4.35 custom 7020R Series, 7280R/R2 Series, 7500R/R2 Series, 7280R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7500R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7800R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)
CNA Arista Networks EOS affected 4.34.0 4.34 custom 7020R Series, 7280R/R2 Series, 7500R/R2 Series, 7280R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7500R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7800R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)
CNA Arista Networks EOS affected 4.33.0 4.33 custom 7020R Series, 7280R/R2 Series, 7500R/R2 Series, 7280R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7500R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7800R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)
CNA Arista Networks EOS affected 4.32.0 4.32 custom 7020R Series, 7280R/R2 Series, 7500R/R2 Series, 7280R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7500R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7800R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)
CNA Arista Networks EOS affected 4.31.0 4.31 custom 7020R Series, 7280R/R2 Series, 7500R/R2 Series, 7280R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7500R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7800R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)
CNA Arista Networks EOS affected * 4.30 custom 7020R Series, 7280R/R2 Series, 7500R/R2 Series, 7280R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7500R3 Series (Limited exposure: IP-in-IPv6 and GUEv6), 7800R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)

References

ReferenceSourceLinkTags
www.arista.com/en/support/advisories-notices/security-advisory/24005-securit... 134c704f-9b21-4f2e-91b3-4a467353bcc0 www.arista.com Vendor Advisory, Mitigation
www.arista.com/en/support/advisories-notices/security-advisory/22872-securit... [email protected] www.arista.com Broken Link
www.cisa.gov/known-exploited-vulnerabilities-catalog 134c704f-9b21-4f2e-91b3-4a467353bcc0 www.cisa.gov US Government Resource
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
CISA Known Exploited Vulnerabilities catalog CISA www.cisa.gov kev

Vendor Comments And Credit

Discovery Credit

CNA: Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis at Comcast (en)

Additional Advisory Data

SourceTimeEvent
ADP2026-06-09T00:00:00.000ZCVE-2026-7473 added to CISA KEV

Solutions

CNA: No software upgrade path is planned to address this issue due to the risk of breaking existing configuration on deployments. The recommended resolution of this issue is to follow the appropriate mitigation instructions detailed in the workaround block.

Workarounds

CNA: There are two broad approaches to mitigate this issue - (1) applying ACLs on upstream devices or (2) applying ACLs on the devices where the unexpected decapsulation is happening. In both cases, the idea is to either selectively allow only legitimate tunnel traffic or to selectively block malicious tunnel traffic. For example, if a network is configured to forward VXLAN traffic, but GRE traffic is being unexpectedly forwarded, then ACLs can be used to either selectively allow just VXLAN traffic or selectively block GRE traffic. More details about using the ACL feature can be found in the  Arista User Manual https://www.arista.com/en/um-eos/eos-acls-and-route-maps#xx1150869 . A note of caution, the following ACL-based mitigation recommendations assume that the tunnel IP is dedicated solely to receiving the configured tunnel protocol traffic. When adapting these rules for your environment, it is important to explicitly permit any additional protocol traffic—such as BGP or SSH—if that IP serves multiple functions. To maintain connectivity, ensure these permit statements are sequenced before any deny statements directed at the decapsulation IP. The following configurations align with the recommendations outlined in the  Arista EOS Hardening Guide https://arista.my.site.com/AristaCommunity/s/article/arista-eos-hardening-guide#Comm_Kna_ka0Uw00000097VJIAY_71 .

CNA: Approach 1 - Applying ACL on Upstream Switches On upstream devices, applying ACLs to allow specific tunneled traffic is straightforward. ACLs can be applied that match on tunnel destination IP, the IP next protocol field, and (optionally) UDP destination port to selectively allow or block specific tunnel protocols. Example ACLs for Arista EOS follows. ACL to permit VXLANv4 Only This IPv4 ACL matches on VXLAN packets as follows: (a) IP next protocol = UDP (17) (b) IP DIP = VXLAN VTEP IP (c) UDP destination port = VXLAN UDP Port (4789) It allows VXLAN packets and drops all other packets to the VXLAN Decap IP. ip access-list foo    counters per-entry    1 permit udp any host <vxlan-decap-ip> eq 4789    2 deny ip any host <decap-ip>    3 permit ip any any   ACL to permit GREv4 Only This IPv4 ACL matches on GRE packets as follows: (a) IP next protocol = GRE (47) (b) IP DIP = GRE Tunnel Destination IP It allows GRE packets and drops all other packets to the GRE Decap IP. ip access-list foo    counters per-entry    1 permit gre any host <gre-decap-ip>    2 deny ip any host <gre-decap-ip>    3 permit any any   ACL to permit IP-in-IPv4 Only This IPv4 ACL matches on IP-in-IPv4 packets as follows: (a) IP next protocol = IPv4 (4) or IPv6 (41) (b) IP DIP = IP-in-IP Decap IP It allows IP-in-IPv4 packets and drops all other packets to the IP-in-IPv4 Decap IP. ip access-list foo    counters per-entry    1 permit 4 any host <ipip-decap-ip>    2 permit 41 any host <ipip-decap-ip>    3 deny ip any host <ipip-decap-ip>    4 permit any any   ACL to Permit IP-in-IPv6 Only This IPv6 ACL matches on IP-in-IPv6 packets as follows: (a) IP next protocol = IPv4 (4) or IPv6 (41) (b) IP DIP = IP-in-IP Decap IP It allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP. ipv6 access-list foo    counters per-entry    1 permit 4 any host <ipip-decap-ip>    2 permit 41 any host <ipip-decap-ip>    3 deny ipv6 any host <ipip-decap-ip>    4 permit ipv6 any any   ACL to permit GUEv4 Only This IPv4 ACL matches on GUE packets as follows: (a) IP next protocol = UDP (17) (b) IP DIP = GUE Decap IP (c) UDP destination port = UDP port configured per payload        (IP = Y or MPLS = Z) It allows GUE packets and drops all other packets to the GUE Decap IP. ip access-list foo    counters per-entry    1 permit udp any host <decap-ip> eq Y    2 permit udp any host <decap-ip> eq Z    3 deny ip any host <decap-ip>    4 permit ip any any   ACL to Permit GUEv6 Only This IPv6 ACL matches on GUE packets as follows: (a) IP next protocol = UDP (17) (b) IP DIP = GUE Decap IP (c) UDP destination port = UDP port configured per payload        (IP = Y or MPLS = Z) It allows GUE packets and drops all other packets to the GUE Decap IP. ipv6 access-list foo    counters per-entry    1 permit udp any host <decap-ip> eq Y    2 permit udp any host <decap-ip> eq Z    3 deny ipv6 any host <decap-ip>    4 permit ipv6 any any

CNA: Approach 2 - Applying ACL on Decapsulation Switches Applying ACLs on the decapsulation device is more complicated. It requires the use of MAC ACLs on 7020R Series, 7280R/R2 Series, and 7500R/R2 Series systems and IP ACLs on 7280R3 Series, 7500R3 Series, and 7800R3 Series systems. In both cases, a TCAM profile update is also required. Note that TCAM profile update is a disruptive operation that could impact traffic forwarding. More information can be found in  User-defined TCAM Profiles https://www.arista.com/en/support/toi/eos-4-26-0f/14755-user-defined-tcam-profiles . 7020R Series, 7280R/R2 Series, and 7500R/R2 Series Mitigation involves using MAC ACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. The suggested MAC ACLs use User Defined Fields (UDFs) to match on specific fields in the packet headers. This requires a TCAM profile update to include the following UDF qualifiers: * For IPv4 tunnels, 2 16b and 1 32b UDF qualifiers need to be included. * For IPv6 tunnels, 2 16b and 4 32b UDF qualifiers need to be included. However, in order to make room for the UDF qualifiers, other TCAM features/qualifiers must be removed due to hardware constraints. Following are some suggested TCAM profile changes to accommodate the required UDF qualifiers: * TCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for MPLS: hardware tcam    profile test copy default       feature acl port mac          no key size limit           key field udf-16b-1 udf-16b-2 udf-32b-1       no feature mpls       no feature mpls pop ingress       no feature pbr mpls     * TCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for VXLAN: hardware tcam    profile test copy default       feature acl port mac          no key field src-mac          key field udf-16b-1 udf-16b-2 udf-32b-1      * TCAM profile that includes the UDF qualifiers for IPv6 tunnels, but removes support for VXLAN and PBR: hardware tcam    profile test1 copy default       feature acl port mac          no key size limit          no key field src-mac dst-mac          key field udf-16b-1 udf-16b-2 udf-32b-1 udf-32b-2 udf-32b-3 udf-32b-4       no feature tunnel vxlan       no feature tunnel vxlan routing       no feature pbr ip       no feature pbr ipv6   Please contact Arista TAC if further assistance is needed with TCAM profile construction.

CNA: ACL to permit VXLAN v4 Decap only This MAC ACL uses UDF to match on VXLAN packets as follows: (a) IP next protocol = UDP (0x11) (b) IP DIP = VXLAN VTEP IP (say 0xXXXXXXXX - converted in hex) (c) UDP destination port = VXLAN UDP Port (0x12b5) It allows VXLAN packets and drops all other packets to the VXLAN Decap IP. mac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff mac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000      mac access-list payload alias udp-dport-vxlan offset 5 pattern 0x000012b5 mask 0xffff0000      mac access-list foo    counters per-entry    1 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-vxlan    2 deny any any ip payload alias ip-dip-decap-ip    3 permit any any   ACL to permit GREv4 Decap Only This MAC ACL uses UDF to match on GRE packets as follows: (a) IP next protocol = GRE (0x2f) (b) IP DIP = GRE Decap IP (say 0xXXXXXXXX - converted in hex) It allows GRE packets and drops all other packets to the GRE Decap IP. mac access-list payload alias ip-next-protocol-gre offset 2 pattern 0x002f0000 mask 0xff00ffff mac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000 mac access-list foo    counters per-entry    1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip    2 deny any any ip payload alias ip-dip-decap-ip    3 permit any any   If needed, the ACL can also be tweaked to match on specific GRE payloads as follows: IPv4oGRE ACL also matches on GRE next protocol = IPv4 (0x0800) mac access-list payload alias gre-protocol-ipv4 offset 5 pattern 0x00000800 mask 0xffff0000 mac access-list foo    counters per-entry    1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv4    2 deny any any ip payload alias ip-dip-decap-ip    3 permit any any   IPv6oGRE ACL also matches on GRE next protocol = IPv6 (0x86dd) mac access-list payload alias gre-protocol-ipv6 offset 5 pattern 0x000086dd mask 0xffff0000 mac access-list foo    counters per-entry    1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv6    2 deny any any ip payload alias ip-dip-decap-ip    3 permit any any   MPLSoGRE ACL also matches on GRE next protocol = MPLS (0x8847) mac access-list payload alias gre-protocol-mpls offset 5 pattern 0x00008847 mask 0xffff0000 mac access-list foo    counters per-entry    1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-mpls    2 deny any any ip payload alias ip-dip-decap-ip    3 permit any any

CNA: ACL to permit IP-in-IPv4 Decap Only This MAC ACL uses UDF to match on IP-in-IP packets as follows: (a) IP next protocol = IPv4 (0x04) or IPv6 (0x29) (b) IP DIP = IP-in-IP Decap IP (say 0xXXXXXXXX - converted in hex) It allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP. mac access-list payload alias ip-next-protocol-ipv4 offset 2 pattern 0x00040000 mask 0xff00ffff mac access-list payload alias ip-next-protocol-ipv6 offset 2 pattern 0x00290000 mask 0xff00ffff mac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000 mac access-list foo    counters per-entry    1 permit any any ip payload alias ip-next-protocol-ipv4 alias ip-dip-decap-ip     2 permit any any ip payload alias ip-next-protocol-ipv6 alias ip-dip-decap-ip    3 deny any any ip payload alias ip-dip-decap-ip    4 permit any any   ACL to permit GUEv4 Decap Only This MAC ACL uses UDF to match on GUE packets as follows: (a) IP next protocol = UDP (0x11) (b) IP DIP = GUE Decap IP (say 0xXXXXXXXX - converted in hex) (c) UDP destination port = UDP port configured per payload       (say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex) It allows GUE packets and drops all other packets to the GUE Decap IP. mac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff mac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000 mac access-list payload alias udp-dport-gue-ip offset 5 pattern 0x0000YYYY mask 0xffff0000 mac access-list payload alias udp-dport-gue-mpls offset 5 pattern 0x0000ZZZZ mask 0xffff0000 mac access-list foo    1 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-mpls    2 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-ip    3 deny any any ip payload alias ip-dip-decap-ip    4 permit any any   ACL to permit GUEv6 Decap Only This MAC ACL uses UDF to match on GUE packets as follows: (a) IP next protocol = UDP (0x11) (b) IPv6 DIP = GUE Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex) (c) UDP destination port = UDP port configured per payload       (say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex) It allows GUE packets and drops all other packets to the GUE Decap IP. mac access-list payload alias ipv6-next-protocol-udp offset 1 pattern 0x00001100 mask 0xffff00ff mac access-list payload alias udp-dport-gue-ip offset 10 pattern 0x0000YYYY mask 0xffff0000 mac access-list payload alias udp-dport-gue-mpls offset 10 pattern 0x0000ZZZZ mask 0xffff0000 mac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0 mac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0 mac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0 mac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0 mac access-list foo    counters per-entry    1 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-ip    2 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-mpls    3 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4    4 permit any any

CNA: ACL to permit IP-in-IPv6 Decap Only The MAC ACL uses UDF to match on IP-in-IPv6 packets as follows: (a) IP next protocol = IPv4 (4) or IPv6 (41) (b) IPv6 DIP = IP-in-IP Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex) It allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP. mac access-list payload alias ipv6-next-protocol-ipv4 offset 1 pattern 0x00000400 mask 0xffff00ff mac access-list payload alias ipv6-next-protocol-ipv6 offset 1 pattern 0x00002900 mask 0xffff00ff mac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0 mac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0 mac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0 mac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0 mac access-list foo    counters per-entry    1 permit any any ipv6 payload alias ipv6-next-protocol-ipv4 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4    2 permit any any ipv6 payload alias ipv6-next-protocol-ipv6 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4    3 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4    4 permit any any   7280R3 Series, 7500R3 Series, and 7800R3 Series Mitigation involves using IPv6 PACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. This requires the following TCAM profile update with the specified packet types: hardware tcam    profile test       feature acl port ipv6          packet ipv6 ipv4 forwarding routed decap          packet ipv6 ipv6 forwarding routed decap          packet ipv6 gue ipv4 forwarding routed decap          packet ipv6 gue ipv6 forwarding routed decap          packet ipv6 gue mpls forwarding mpls decap   Note that introducing new packet types might also require specifying them under other features such as “acl vlan” or “qos ipv6”. Please reach out, if further assistance is needed with TCAM profile construction. ACL to Permit GUEv6 Only This IPv6 ACL matches on GUE packets as follows: (a) IP next protocol = UDP (0x11) (b) IP DIP = GUE Decap IP (c) UDP destination port = UDP port configured per payload       (IP = Y or MPLS = Z) It allows GUE packets and drops all other packets to the GUE Decap IP. ipv6 access-list foo    counters per-entry    1 permit udp any host <decap-ip> eq Y    2 permit udp any host <decap-ip> eq Z    3 deny ipv6 any host <decap-ip>    4 permit ipv6 any any   ACL to Permit IP-in-IPv6 Only This IPv6 ACL matches on IP-in-IPv6 packets as follows: (a) IP next protocol = IPv4 (4) or IPv6 (41) (b) IP DIP = IP-in-IP Decap IP It allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP. ipv6 access-list foo    counters per-entry    1 permit 4 any host <decap-ip>    2 permit 41 any host <decap-ip>    3 deny ipv6 any host <decap-ip>    4 permit ipv6 any any

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report