MEDIUM 5.9

CVE-2026-2379: Arista EOS IPSec Tunnel Instability – MEDIUM Risk Vulnerability

Arista EOS devices with hardware-accelerated IPSec support may experience communication instability when physical network interfaces go down or certain system components restart. During these events, IPSec tunnels re-establish, but sequence numbering can become misaligned between the two endpoints of the tunnel. This mismatch can cause packets to be rejected or processed out of order, leading to dropped connections or degraded tunnel performance. The vulnerability requires network access to trigger but does not involve packet inspection or authentication bypass.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-672
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-2379 affects Arista EOS platforms with hardware IPSec acceleration when specific IPSec features are enabled. The root cause involves improper sequence number synchronization during IPSec tunnel re-establishment following physical interface flaps or agent restarts. When these events occur, existing Security Associations (SAs) are torn down and rebuilt, but the sequence number counters on one or both tunnel endpoints may not be properly reset or synchronized. This results in sequence number field mismatches in the IPSec header (RFC 4303), causing the receiving endpoint to reject inbound packets or classify them as out-of-order replay attacks. The issue is classified as CWE-672 (Improper Restoration of Previously Freed Memory or Resetting to Initial Values).

Business impact

Organizations relying on Arista switches with IPSec tunnels for encrypted WAN backhaul, SD-WAN overlays, or inter-site connectivity may experience unexpected tunnel outages coinciding with scheduled or unplanned maintenance windows. Since the issue is triggered by interface flaps and agent restarts—events that occur during network operations, troubleshooting, or device upgrades—customers may face unplanned downtime during these critical windows. Data confidentiality is not compromised (the CVSS vector reflects high confidentiality impact due to encryption being in use, not because it is broken), but availability of the encrypted tunnel is directly affected.

Affected systems

Arista EOS running on hardware platforms with native IPSec acceleration, where specific IPSec features have been enabled in the configuration. The vendor product list in the source data is empty; consult Arista's advisory and platform documentation to determine which specific EOS versions, hardware SKUs, and feature combinations trigger this issue. Contact your Arista sales or support representative with your platform model and EOS version to confirm exposure.

Exploitability

This vulnerability does not require active exploitation by an external attacker. It is triggered by legitimate operational events: physical link failures, scheduled maintenance restarts, or automatic agent recovery processes. An attacker cannot directly invoke IPSec tunnel re-establishment without network access and the ability to cause interface flaps, which implies significant network access or physical access. The medium CVSS score (5.9) reflects the requirement for these specific conditions to occur naturally or be orchestrated by someone with network control. The attack vector is Network, but the attack complexity is High, and there is no privilege escalation or integrity risk.

Remediation

Arista will provide a firmware patch that ensures sequence numbers are correctly synchronized when IPSec tunnels re-establish. Until patching is available, operational workarounds may include: minimizing scheduled maintenance windows, disabling non-essential IPSec features if they are not in use, or deploying redundant tunnel paths with automatic failover to reduce the impact of a single tunnel becoming unstable. Verify the specific patch version and applicability against your hardware platform and EOS version by consulting Arista's security advisory.

Patch guidance

Contact Arista directly or consult their security advisory for the EOS firmware version that resolves sequence number synchronization during tunnel re-establishment. Test patches in a non-production environment, paying particular attention to IPSec tunnel stability during simulated interface flaps and agent restarts. Coordinate patching with your change management window to minimize production impact, as the issue itself is most likely to manifest during maintenance events.

Detection guidance

Monitor Arista switch syslog output for IPSec-related messages, including tunnel state transitions, SA deletion and re-creation events, and sequence number mismatch warnings. Enable IPSec debugging on affected devices if your security operations center supports centralized logging. Track interface flap events and correlate them with IPSec tunnel outages or instability. Use Arista's monitoring APIs or CLI commands to query IPSec SA statistics (sequence number counters, packet drop rates) before and after planned maintenance. A sudden spike in IPSec packet drops coinciding with an interface flap or agent restart is a strong indicator of this issue.

Why prioritize this

Although the CVSS score is MEDIUM (5.9), prioritize patching for any Arista EOS deployments that carry encrypted inter-site traffic or business-critical WAN links. The vulnerability is not remotely exploitable in the traditional sense, but its impact during routine maintenance can cause unplanned downtime. Organizations with redundant IPSec tunnels or SD-WAN failover can afford to patch on a normal quarterly cycle; those with single tunnels or high-criticality links should prioritize faster patching.

Risk score, explained

The CVSS 3.1 score of 5.9 MEDIUM is driven by: (1) Network attack vector, reflecting that IPSec re-establishment can be triggered by network-initiated link failures; (2) High attack complexity, because the vulnerability requires specific operational conditions (interface flaps or agent restarts) to manifest; (3) High confidentiality impact, indicating that the encrypted tunnel's stability—and by extension, the protection of traffic confidentiality—is at stake; (4) no integrity or availability impact in the CVSS model, because packets are not modified, merely dropped. The actual business-critical impact may be higher in environments where IPSec provides essential connectivity.

Frequently asked questions

Does this vulnerability allow an attacker to decrypt IPSec traffic or bypass encryption?

No. The vulnerability does not compromise the encryption itself or break IPSec cryptography. It causes sequence number mismatches that lead to tunnel instability and packet drops. Confidentiality of the encrypted data is not compromised.

Can this issue be triggered remotely without any special network access?

Triggering the issue requires the ability to cause a physical interface flap or agent restart on the switch. While interface flaps can occur due to legitimate network events, an attacker would need significant network access or physical proximity to deliberately trigger the re-establishment conditions.

How does this affect SD-WAN or multi-tunnel deployments?

In SD-WAN environments with multiple IPSec tunnels, a single tunnel becoming unstable due to this bug may not cause total loss of connectivity if other tunnels remain up. However, traffic steering policies may be disrupted, and the failed tunnel will be unavailable until the tunnel re-establishes successfully or the device is patched.

What is the timeline for a patch, and are there interim workarounds?

Arista's timeline and workaround availability depend on the severity of the issue in their customer base. Check the official Arista advisory for patch availability. In the interim, ensure redundant tunnel paths are in place, minimize maintenance windows on affected devices, and avoid configurations that enable non-essential IPSec features.

This analysis is provided for informational purposes. The vendor product list in the official CVE record is empty; affected platforms and EOS versions must be confirmed by consulting Arista's security advisory and platform documentation. Patch versions, availability dates, and workarounds are subject to change and should be verified directly with Arista. SEC.co does not provide legal, compliance, or warranty advice. Organizations should perform their own risk assessment and consult with Arista support before making patching or configuration decisions. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).