CVE-2025-8873 PUBLISHED

Arista EOS Dataplane Denial of Service via Malformed IPsec Packet

Assigner: Arista
Reserved: 11.08.2025 Published: 04.06.2026 Updated: 04.06.2026

On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer.

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Arista Networks
Product	EOS
Versions	Default: unaffected affected from 4.33.0M to 4.33.4M (incl.) affected from 4.32.0M to 4.32.6.1M (incl.) affected from 4.31.0M to 4.31.7.1M (incl.) affected from 4.30.0M to 4.30.10M (incl.) affected from 4.29.0M to 4.29.10.1M (incl.)

Affected Configurations

In order to be vulnerable to CVE-2025-8873, the following condition must be met: IPsec must be configured:

switch>show ip security connection Legend: (P) policy based VPN tunnel Tunnel Source Dest Status Uptime Input Output Rekey Time Tunnel8 10.0.0.1 10.0.0.2 Established 1 minute 0 bytes 0 bytes 54 minutes 30 pkts 30 pkts.

If IPsec is not configured there is no exposure to this issue and the message will look like:

switch>show ip security connection Legend: (P) policy based VPN tunnel.

Workarounds

There are no mitigations for this vulnerability.

Solutions

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see https://www.arista.com/en/support/toi/tcam-profile?pn=ipsec-egress-padding-removal .

This may momentarily impact traffic. Apply the configuration found at the url to create a TCAM profile and then apply the TCAM profile as shown below.

switch(config)#hardware tcam switch(config-tcam)#system profile ipsec-egress-padding-removal ! WARNING! Changing TCAM profile will cause forwarding agent(s) to exit and restart. All traffic through the forwarding chip managed by the restarting forwarding agent will be dropped.

Proceed [y/n]y switch(config-tcam)#

To ensure the TCAM profile has been applied, run the following command and verify the Configuration and Status values match ipsec-egress-padding-removal:

switch(config-tcam)#show hardware tcam profile Configuration Status FixedSystem ipsec-egress-padding-removal ipsec-egress-padding-removal

‘ipsec-egress-padding-removal’ differs from the ‘ipsec’ TCAM profile in two ways:

Egress IP ACLs are disabled
Fixes for BUG603398 and BUG1246592 are applied

References

https://www.arista.com/en/support/advisories-notices/security-advisory/22869-security-advisory-0127

Problem Types

CWE-1286: Improper Validation of Syntactic Correctness of Input CWE

Impacts

CAPEC-125 Flooding