Vulnerability-Lookup

GHSA-QM38-553V-42W8

Vulnerability from github – Published: 2026-06-05 18:31 – Updated: 2026-06-05 18:31

Details

On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication.

Severity

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

8.2 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-2379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-05T18:17:05Z",
    "severity": "HIGH"
  },
  "details": "On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication.",
  "id": "GHSA-qm38-553v-42w8",
  "modified": "2026-06-05T18:31:40Z",
  "published": "2026-06-05T18:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2379"
    },
    {
      "type": "WEB",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23419-security-advisory-0134"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2026-2379 (GCVE-0-2026-2379)

Vulnerability from cvelistv5 – Published: 2026-06-05 17:59 – Updated: 2026-06-05 17:59

Title

Arista EOS IPsec Tunnel Sequence Number Mismatch via Interface Flaps when Anti-Replay is Disabled

Summary

Severity

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-672 - Operation on a Resource after Expiration or Release

Assigner

Arista

References

1 reference

URL	Tags
https://www.arista.com/en/support/advisories-noti…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Arista Networks	EOS	Affected: 4.34.0 , ≤ 4.34.3M (custom) Affected: 4.33.0M , ≤ 4.33.5M (custom) Affected: 4.32.0M , ≤ 4.32.7M (custom) Affected: 4.31.0M , ≤ 4.31.9M (custom) Affected: 4.30.0F , < 4.31.0 (custom) Affected: 4.29.0F , < 4.30.0 (custom) Affected: 4.28.0F , < 4.29.0 (custom) Affected: 4.27.1F , < 4.28.0 (custom)

Date Public

2026-02-17 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "7280R3 Series with IPsec (DCS-7280SR3AK",
            "DCS-7280SR3AM",
            "DCS-7280CR3AK",
            "DCS-7280CR3AM",
            "DCS-7280CR3MK",
            "DCS-7280DR3AK",
            "DCS-7280DR3AM",
            "DCS-7289R3AK-SC",
            "DCS-7289R3AM-SC)",
            "7800R3 Series with IPsec (7800R3A-36DM-LC",
            "7800R3AK-36DM-LC",
            "7800R3A-36PM-LC",
            "7800R3AK-36PM-LC",
            "7800R3A-36DM2-LC",
            "7800R3AK-36DM2-LC)",
            "AWE 7000 Series with IPsec (AWE-7250R-16S-F",
            "AWE-7230R-4TX-4S-F",
            "AWE-7220RP-5TH-2S-F)",
            "AWE 5000 Series with IPsec (AWE-5510",
            "AWE-5310)",
            "CloudEOS VM"
          ],
          "product": "EOS",
          "vendor": "Arista Networks",
          "versions": [
            {
              "lessThanOrEqual": "4.34.3M",
              "status": "affected",
              "version": "4.34.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.33.5M",
              "status": "affected",
              "version": "4.33.0M",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.32.7M",
              "status": "affected",
              "version": "4.32.0M",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.31.9M",
              "status": "affected",
              "version": "4.31.0M",
              "versionType": "custom"
            },
            {
              "lessThan": "4.31.0",
              "status": "affected",
              "version": "4.30.0F",
              "versionType": "custom"
            },
            {
              "lessThan": "4.30.0",
              "status": "affected",
              "version": "4.29.0F",
              "versionType": "custom"
            },
            {
              "lessThan": "4.29.0",
              "status": "affected",
              "version": "4.28.0F",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.0",
              "status": "affected",
              "version": "4.27.1F",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn order to be vulnerable to CVE-2026-2379, the IPsec\u0026nbsp;\u003cb\u003eanti-replay detection\u003c/b\u003e\u0026nbsp;feature must be disabled. The IPsec anti-replay detection feature is enabled by default when IPsec is enabled in Arista EOS.\u003c/p\u003e\u003cp\u003eThe field \u201c\u003cb\u003eReplay window size\u003c/b\u003e\u201d in the output of the command \u201c\u003cb\u003eshow ip sec connection detail\u003c/b\u003e\u201d can be used to verify whether anti-replay is enabled or disabled. A non-zero replay window size indicates that anti-replay detection is enabled.\u003c/p\u003e\u003cpre\u003eswitch#show ip sec connection detail\nTunnel0:\n\u0026nbsp;\u0026nbsp;Source address: 2.0.0.1, Destination address: 2.0.0.2\n\u0026nbsp;\u0026nbsp;State: established\n\u0026nbsp;\u0026nbsp;Uptime: 31 minutes, 49 seconds\n\u0026nbsp;\u0026nbsp;VRF: default\n\u0026nbsp;\u0026nbsp;Inbound SPI: 0xcc09b0d4:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Request ID: 312, Mode: tunnel, \u003cb\u003eReplay window size: 16384\u003c/b\u003e, Seq: 0x0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Errors:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime config:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft byte limit: 3728539143000, Hard byte limit: 6442450944000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft packet limit: 2101671584, Hard packet limit: 4000000000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft time limit: 2657 secs, Hard time limit: 3600 secs\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime current:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current bytes: 461294305\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current packets: 391481\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA add time: Mon Jul\u0026nbsp; 8 00:49:52 2024\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA last use time: Mon Jul\u0026nbsp; 8 01:21:34 2024\n\u0026nbsp;\u0026nbsp;Outbound SPI: 0xc7869a84:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Request ID: 312, Mode: tunnel, Replay window size: 0, Seq: 0x0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Errors:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime config:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft byte limit: 3616989511500, Hard byte limit: 6442450944000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft packet limit: 2653085513, Hard packet limit: 4000000000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Soft time limit: 2565 secs, Hard time limit: 3600 secs\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Lifetime current:\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current bytes: 1421924689\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;Current packets: 1207796\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA add time: Mon Jul\u0026nbsp; 8 00:49:52 2024\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;SA last use time: Mon Jul\u0026nbsp; 8 01:21:34 2024\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIn the example above, the replay window size is non-zero which indicates that anti-replay detection is enabled.\u003c/p\u003e\u003cp\u003eIf anti-replay detection is enabled, then the vulnerability is not present. The IPsec anti-replay detection feature is disabled with the following configuration:\u003c/p\u003e\u003cpre\u003eswitch(config)# ip security\nswitch(config-ipsec)# sa policy sa1\nswitch(config-ipsec-sa1)# no anti-replay detection\u003c/pre\u003e"
            }
          ],
          "value": "In order to be vulnerable to CVE-2026-2379, the IPsec\u00a0anti-replay detection\u00a0feature must be disabled. The IPsec anti-replay detection feature is enabled by default when IPsec is enabled in Arista EOS.\n\n\n\nThe field \u201cReplay window size\u201d in the output of the command \u201cshow ip sec connection detail\u201d can be used to verify whether anti-replay is enabled or disabled. A non-zero replay window size indicates that anti-replay detection is enabled.\n\n\n\nswitch#show ip sec connection detail\nTunnel0:\n\u00a0\u00a0Source address: 2.0.0.1, Destination address: 2.0.0.2\n\u00a0\u00a0State: established\n\u00a0\u00a0Uptime: 31 minutes, 49 seconds\n\u00a0\u00a0VRF: default\n\u00a0\u00a0Inbound SPI: 0xcc09b0d4:\n\u00a0\u00a0\u00a0\u00a0Request ID: 312, Mode: tunnel, Replay window size: 16384, Seq: 0x0\n\u00a0\u00a0\u00a0\u00a0Errors:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u00a0\u00a0\u00a0\u00a0Lifetime config:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft byte limit: 3728539143000, Hard byte limit: 6442450944000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft packet limit: 2101671584, Hard packet limit: 4000000000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft time limit: 2657 secs, Hard time limit: 3600 secs\n\u00a0\u00a0\u00a0\u00a0Lifetime current:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current bytes: 461294305\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current packets: 391481\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA add time: Mon Jul\u00a0 8 00:49:52 2024\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA last use time: Mon Jul\u00a0 8 01:21:34 2024\n\u00a0\u00a0Outbound SPI: 0xc7869a84:\n\u00a0\u00a0\u00a0\u00a0Request ID: 312, Mode: tunnel, Replay window size: 0, Seq: 0x0\n\u00a0\u00a0\u00a0\u00a0Errors:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Packets outside replay window: 0, Replay: 0, Integrity failed: 0\n\u00a0\u00a0\u00a0\u00a0Lifetime config:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft byte limit: 3616989511500, Hard byte limit: 6442450944000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft packet limit: 2653085513, Hard packet limit: 4000000000\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Soft time limit: 2565 secs, Hard time limit: 3600 secs\n\u00a0\u00a0\u00a0\u00a0Lifetime current:\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current bytes: 1421924689\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current packets: 1207796\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA add time: Mon Jul\u00a0 8 00:49:52 2024\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SA last use time: Mon Jul\u00a0 8 01:21:34 2024\n\n\n\u00a0\n\n\n\nIn the example above, the replay window size is non-zero which indicates that anti-replay detection is enabled.\n\n\n\nIf anti-replay detection is enabled, then the vulnerability is not present. The IPsec anti-replay detection feature is disabled with the following configuration:\n\n\n\nswitch(config)# ip security\nswitch(config-ipsec)# sa policy sa1\nswitch(config-ipsec-sa1)# no anti-replay detection"
        }
      ],
      "datePublic": "2026-02-17T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eOn affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication.\u003c/p\u003e"
            }
          ],
          "value": "On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-60",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-60 Reusing Session Tokens"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-672",
              "description": "CWE-672: Operation on a Resource after Expiration or Release",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T17:59:40.999Z",
        "orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
        "shortName": "Arista"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23419-security-advisory-0134"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003c/p\u003e\u003cp\u003eFor more information about upgrading see: \u003ca href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCVE-2026-2379 has been fixed in the following releases:\u003c/p\u003e\u003cul\u003e\u003cli\u003e4.35.0F and later releases in the 4.35.x train\u003c/li\u003e\u003cli\u003e4.34.4M and later releases in the 4.34.x train\u003c/li\u003e\u003cli\u003e4.33.6M and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.8M and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.10M and later releases in the 4.31.x train\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\n\n\n\nFor more information about upgrading see:  EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\n\n\nCVE-2026-2379 has been fixed in the following releases:\n\n  *  4.35.0F and later releases in the 4.35.x train\n  *  4.34.4M and later releases in the 4.34.x train\n  *  4.33.6M and later releases in the 4.33.x train\n  *  4.32.8M and later releases in the 4.32.x train\n  *  4.31.10M and later releases in the 4.31.x train"
        }
      ],
      "source": {
        "advisory": "0134",
        "defect": [
          "BUG 1188976"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Arista EOS IPsec Tunnel Sequence Number Mismatch via Interface Flaps when Anti-Replay is Disabled",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThere is no known mitigation for CVE-2026-2379. The recommended resolution is to upgrade to a remediated software version at your earliest convenience.\u003c/p\u003e"
            }
          ],
          "value": "There is no known mitigation for CVE-2026-2379. The recommended resolution is to upgrade to a remediated software version at your earliest convenience."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
    "assignerShortName": "Arista",
    "cveId": "CVE-2026-2379",
    "datePublished": "2026-06-05T17:59:40.999Z",
    "dateReserved": "2026-02-11T21:25:16.721Z",
    "dateUpdated": "2026-06-05T17:59:40.999Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-QM38-553V-42W8

CVE-2026-2379 (GCVE-0-2026-2379)

Tags

Sightings

Nomenclature