HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-2379Published Modified CNA Arista

CVE-2026-2379: Arista EOS IPsec Tunnel Sequence Number Mismatch via Interface Flaps when Anti-Replay is Disabled

On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication.

Metrics

CVSS v4.0
8.2
Severity
HIGH
Fixed in
4.28.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sequence number mismatch vulnerability in Arista EOS affecting hardware IPsec tunnel handling. When anti-replay protection is disabled, physical interface flaps or certain agent restarts can trigger IPsec tunnel re-establishment using existing Security Associations, causing sequence number desynchronization between tunnel endpoints and resulting in unstable or disrupted encrypted communications. The vulnerability is reachable over the network without any authentication, and successful exploitation enables an attacker to read encrypted traffic by exploiting the weakened anti-replay state. A patched-image rebuild at versions 4.28.0, 4.29.0, 4.30.0, and 4.31.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images, to flag any running Arista EOS versions in the affected range (up to 4.34.3M, 4.33.5M, 4.32.7M, or 4.31.9M). Coverage applies to images in both registries and active CI/CD pipelines.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.2 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each organization is available automatically once a match is confirmed.

Available
Patch

A patched-image rebuild at the fix versions (4.28.0, 4.29.0, 4.30.0, 4.31.0) is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the affected EOS device over the network to exploit the desynchronized IPsec tunnel state.

  • AuthenticationNot required

    No credentials or prior account access are needed; the vulnerability is exploitable by an unauthenticated network actor.

  • Victim interactionNot required

    No action from a user or administrator on the target device is required to trigger exploitation once the tunnel is in a mismatched sequence number state.

  • Attack complexityDetail

    While the exploit itself requires no special conditions on the attacker's side (AC:L), a prerequisite environmental condition exists (AT:P): the affected device must have anti-replay disabled and must have experienced an interface flap or agent restart to enter the vulnerable state.

Blast Radius

  • An attacker gains the ability to read the contents of traffic that should have been protected by IPsec encryption, exposing confidential data in transit across affected tunnels.
  • Confidentiality of all data flowing through the affected IPsec tunnels is compromised; this includes any application payloads, credentials, or session tokens transmitted over those tunnels.
  • Integrity and availability of the tunnel traffic are not directly impacted according to the CVSS scoring, but loss of confidentiality on encrypted overlay traffic can undermine the security guarantees of the broader network segment relying on those tunnels.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active for all customer image scans, matching affected Arista EOS versions the moment the finding enters the feed. For environments running an affected version, a patched-image rebuild at 4.28.0, 4.29.0, 4.30.0, or 4.31.0 is available. Where compliance policy permits auto-remediation, HarborGuard can rebuild the image, execute regression tests, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Regardless of patch status, customers can apply compensating controls in the interim: enabling IPsec anti-replay protection where operationally feasible, applying network-policy isolation to restrict which hosts can reach IPsec endpoints, and monitoring for unexpected interface flap events that may indicate the tunnel has entered a vulnerable re-establishment cycle.

See how HarborGuard automates this

Fix available

4.28.04.29.04.30.04.31.0
Affected packages
  • Arista Networks / EOS
    ≤ 4.34.3M · ≤ 4.33.5M · ≤ 4.32.7M · ≤ 4.31.9M · < 4.31.0 (from 4.30.0F) · < 4.30.0 (from 4.29.0F)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References