CVE-2026-2379 PUBLISHED

On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication.

In order to be vulnerable to CVE-2026-2379, the IPsec anti-replay detection feature must be disabled. The IPsec anti-replay detection feature is enabled by default when IPsec is enabled in Arista EOS.

The field “Replay window size” in the output of the command “show ip sec connection detail” can be used to verify whether anti-replay is enabled or disabled. A non-zero replay window size indicates that anti-replay detection is enabled.

switch#show ip sec connection detail Tunnel0:   Source address: 2.0.0.1, Destination address: 2.0.0.2   State: established   Uptime: 31 minutes, 49 seconds   VRF: default   Inbound SPI: 0xcc09b0d4:     Request ID: 312, Mode: tunnel, Replay window size: 16384, Seq: 0x0     Errors:       Packets outside replay window: 0, Replay: 0, Integrity failed: 0     Lifetime config:       Soft byte limit: 3728539143000, Hard byte limit: 6442450944000       Soft packet limit: 2101671584, Hard packet limit: 4000000000       Soft time limit: 2657 secs, Hard time limit: 3600 secs     Lifetime current:       Current bytes: 461294305       Current packets: 391481       SA add time: Mon Jul  8 00:49:52 2024       SA last use time: Mon Jul  8 01:21:34 2024   Outbound SPI: 0xc7869a84:     Request ID: 312, Mode: tunnel, Replay window size: 0, Seq: 0x0     Errors:       Packets outside replay window: 0, Replay: 0, Integrity failed: 0     Lifetime config:       Soft byte limit: 3616989511500, Hard byte limit: 6442450944000       Soft packet limit: 2653085513, Hard packet limit: 4000000000       Soft time limit: 2565 secs, Hard time limit: 3600 secs     Lifetime current:       Current bytes: 1421924689       Current packets: 1207796       SA add time: Mon Jul  8 00:49:52 2024       SA last use time: Mon Jul  8 01:21:34 2024

In the example above, the replay window size is non-zero which indicates that anti-replay detection is enabled.

If anti-replay detection is enabled, then the vulnerability is not present. The IPsec anti-replay detection feature is disabled with the following configuration:

switch(config)# ip security switch(config-ipsec)# sa policy sa1 switch(config-ipsec-sa1)# no anti-replay detection

There is no known mitigation for CVE-2026-2379. The recommended resolution is to upgrade to a remediated software version at your earliest convenience.

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.

For more information about upgrading see: EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades

CVE-2026-2379 has been fixed in the following releases:

• 4.35.0F and later releases in the 4.35.x train
• 4.34.4M and later releases in the 4.34.x train
• 4.33.6M and later releases in the 4.33.x train
• 4.32.8M and later releases in the 4.32.x train
• 4.31.10M and later releases in the 4.31.x train

• https://www.arista.com/en/support/advisories-notices/security-advisory/23419-security-advisory-0134

• CWE-672: Operation on a Resource after Expiration or Release CWE

• CAPEC-60 Reusing Session Tokens