The U.S. Cybersecurity and Infrastructure Security Agency entered a vulnerability in Arista's Extensible Operating System, tracked as CVE-2026-7473, into its Known Exploited Vulnerabilities (KEV) catalog. The catalog record classifies the issue as an incomplete-comparison-with-missing-factors vulnerability — the weakness category recorded as CWE-1023 — affecting Arista EOS, the network operating system that runs on the company's switching platforms. The entry was added on June 9, 2026, and carries a remediation due date of June 23, 2026.

According to the KEV record, the flaw manifests in how an affected switch handles tunneled traffic. The catalog states that the switch incorrectly decapsulates and forwards an unexpected tunneled packet when that packet's destination IP matches the IP the switch has been configured to use for decapsulation. Decapsulation is the process by which a device strips an outer tunnel header from a packet to reveal and route the inner payload; the record indicates that the comparison governing when decapsulation should occur does not account for all the factors it needs to, which is the defining characteristic of the CWE-1023 category named in the entry.

"Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP."— CISA KEV, source

CISA's KEV catalog is the agency's published list of vulnerabilities it states are being exploited in the wild. The presence of CVE-2026-7473 on the list is the operative fact: the agency adds a CVE only after determining that active exploitation is occurring. The record marks the known-ransomware-campaign-use field as "Unknown," meaning the entry does not tie the vulnerability to a named ransomware operation. That value reflects what the record documents and is not a forecast.

What the record instructs

The required-action field in the KEV entry directs affected parties to apply mitigations per vendor instructions, to follow applicable Binding Operational Directive 22-01 guidance for cloud services, or to discontinue use of the product if mitigations are unavailable. The record references an Arista security advisory — advisory notice 24005, security advisory 0137 — as the vendor source for the specific affected versions and the remediation steps. The June 23, 2026 due date is the date by which the directive's covered federal civilian agencies are expected to remediate.

BOD 22-01 is the directive under which the KEV catalog operates as a binding remediation requirement for U.S. federal civilian executive-branch agencies. Outside that population, the catalog is consulted broadly by network operators as a prioritization reference, though the directive's legal obligation applies to the agencies it covers. The KEV record itself does not characterize how many devices are affected or estimate exposure; it documents the product, the weakness category, the dates, and the determination of active exploitation.

The mechanism the entry describes

An incomplete comparison with missing factors, CWE-1023, describes logic that decides whether two values match while omitting one or more conditions the decision should depend on. In the context the KEV entry supplies, that comparison governs decapsulation: the switch is meant to decapsulate tunnel traffic destined for its configured decapsulation IP, but the record states it will also decapsulate and forward "other unexpected" tunneled packets that share that destination IP. The consequence the record names is forwarding of traffic that the switch should not have processed in that way.

Tunnel decapsulation behavior sits at the boundary between a network's encapsulated overlay and the underlying forwarding path, which is why a comparison gap there can affect how traffic crosses a switch. The KEV record does not detail an exploitation sequence beyond the summary quoted above, nor does it enumerate affected EOS builds; that version-level detail is held in the referenced Arista advisory 0137. What the catalog documents is the weakness category, the affected operating system (Arista EOS), the date added (June 9, 2026), the due date (June 23, 2026), and the exploitation determination that is the precondition for any KEV listing.

For network teams consulting the catalog, the anchor identifiers are the ones the record provides: the CVE number CVE-2026-7473, the CWE-1023 classification, and the Arista advisory reference. The National Vulnerability Database detail page for CVE-2026-7473 carries the standardized scoring and reference set as those are published. The KEV entry remains the authoritative record of the exploitation determination and the federal remediation deadline, and it is the source from which every fact stated in this report is drawn. Readers evaluating their own exposure are directed by the record to apply the vendor's mitigation in line with the cited directive, or to discontinue use of the affected product if no mitigation is available.

How the entry is structured

Each KEV record follows a fixed field layout, and reading CVE-2026-7473 against it separates what the catalog asserts from what it leaves to other sources. The vendor field names Arista, and the product field names Extensible Operating System. The vulnerability-name field labels the issue an "Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability," restating the CWE-1023 classification in the catalog's own words. The date-added field records June 9, 2026, and the due-date field records June 23, 2026. The short-description field carries the single summarizing sentence quoted earlier, and the notes field collects the external references: the Arista security advisory and the National Vulnerability Database detail page for the CVE.

The known-ransomware-campaign-use field reads "Unknown" for this entry. Within the catalog's schema that value indicates the agency has not, in this record, linked the vulnerability to a documented ransomware campaign. It describes the state of the catalog's documentation rather than offering a prediction, and the value can be revised in later catalog updates. The figure reported here reflects the entry as it stood when it was added on June 9.

The required-action field is where the listing becomes an obligation for the agencies the directive covers. For CVE-2026-7473 that field directs covered parties to apply mitigations per vendor instructions, to follow applicable BOD 22-01 guidance for cloud services, or to discontinue use of the product if mitigations are unavailable. The catalog does not, in this entry, identify which specific deployments are affected or reachable; that determination rests with the operators of Arista EOS devices, who are directed to the vendor advisory for the version-level detail that defines whether a given switch falls within scope.