Vendor scorecard
Arista
Data-center and campus switching built on a single EOS image across the portfolio.
CPE: arista
Product families
3
Open in latest
19
Inferred — see methodology
Last disclosure
Jun 5, 2026
01
Product categories
3 trackedCVE volume, severity mix and the inferred latest shipping version per category.
| Category | CVEs | Volume | Severity mix | Open | Inferred latest |
|---|---|---|---|---|---|
| EOSRouting & Switchingeos, eos_xi | 19 | 16 | 4.32.1fHIGH | ||
| CloudVisionNetwork Management & Monitoringcloudvision_portal, cloudvision_wifi | 3 | 3 | 2026.1.0HIGH | ||
| WirelessWireless LANc-200, c-230, c-250… | 0 | 0 | unknown |
02
Recent CVEs
12 shownMost recently published, newest first. Each ID links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2026-7473(opens NVD record) | Medium | 5.8 | On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild. | Jun 5, 2026 |
| CVE-2026-31431(opens NVD record) | High | 7.8 | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. | Apr 22, 2026 |
| CVE-2024-6387(opens NVD record) | High | 8.1 | A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. | Jul 1, 2024 |
| CVE-2023-3646(opens NVD record) | Medium | 5.9 | On affected platforms running Arista EOS with mirroring to multiple destinations configured, an internal system error may trigger a kernel panic and cause system reload. | Aug 29, 2023 |
| CVE-2023-24548(opens NVD record) | Medium | 5.3 | On affected platforms running Arista EOS with VXLAN configured, malformed or truncated packets received over a VXLAN tunnel and forwarded in hardware can cause egress ports to be unable to forward packets. The device will continue to be susceptible to the issue until remediation is in place. | Aug 29, 2023 |
| CVE-2023-24546(opens NVD record) | High | 8.1 | On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service. | Jun 13, 2023 |
| CVE-2023-24510(opens NVD record) | High | 7.5 | On the affected platforms running EOS, a malformed DHCP packet might cause the DHCP relay agent to restart. | Jun 5, 2023 |
| CVE-2023-24512(opens NVD record) | High | 8.8 | On affected platforms running Arista EOS, an authorized attacker with permissions to perform gNMI requests could craft a request allowing it to update arbitrary configurations in the switch. This situation occurs only when the Streaming Telemetry Agent (referred to as the TerminAttr agent) is enabled and gNMI access is configured on the agent. Note: This gNMI over the Streaming Telemetry Agent scenario is mostly commonly used when streaming to a 3rd party system and is not used by default when streaming to CloudVision | Apr 25, 2023 |
| CVE-2023-24509(opens NVD record) | Critical | 9.3 | On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability. | Apr 13, 2023 |
| CVE-2023-24511(opens NVD record) | Medium | 5.3 | On affected platforms running Arista EOS with SNMP configured, a specially crafted packet can cause a memory leak in the snmpd process. This may result in the snmpd processing being terminated (causing SNMP requests to time out until snmpd is automatically restarted) and potential memory resource exhaustion for other processes on the switch. The vulnerability does not have any confidentiality or integrity impacts to the system. | Apr 12, 2023 |
| CVE-2021-28510(opens NVD record) | Medium | 5.3 | For certain systems running EOS, a Precision Time Protocol (PTP) packet of a management/signaling message with an invalid Type-Length-Value (TLV) causes the PTP agent to restart. Repeated restarts of the service will make the service unavailable. | Jan 26, 2023 |
| CVE-2022-29071(opens NVD record) | Medium | 4.0 | This advisory documents an internally found vulnerability in the on premises deployment model of Arista CloudVision Portal (CVP) where under a certain set of conditions, user passwords can be leaked in the Audit and System logs. The impact of this vulnerability is that the CVP user login passwords might be leaked to other authenticated users. | Aug 5, 2022 |
22 CVEs · 3 product families