CWE-1023
Incomplete Comparison with Missing Factors
The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
CVE-2021-23146 (GCVE-0-2021-23146)
Vulnerability from cvelistv5 – Published: 2021-11-18 17:59 – Updated: 2024-09-17 02:41
VLAI
Summary
An Incomplete Comparison with Missing Factors vulnerability in the Gallagher Controller allows an attacker to bypass PIV verification. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); 8.10 versions prior to 8.10.1284 (MR7); version 8.00 and prior versions.
Severity
7.1 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.gallagher.com/Security-Advisorie… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gallagher | Command Center |
Affected:
8.40 prior to 8.40.1888 (MR3)
Affected: 8.30 prior to 8.30.1359 (MR3) Affected: 8.20 prior to 8.20.1259 (MR5) Affected: 8.10 prior to 8.10.1284 (MR7) Affected: 8.00 and prior |
Date Public
2021-11-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gallagher.com/Security-Advisories/CVE-2021-23146"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Command Center",
"vendor": "Gallagher",
"versions": [
{
"status": "affected",
"version": "8.40 prior to 8.40.1888 (MR3)"
},
{
"status": "affected",
"version": "8.30 prior to 8.30.1359 (MR3)"
},
{
"status": "affected",
"version": "8.20 prior to 8.20.1259 (MR5)"
},
{
"status": "affected",
"version": "8.10 prior to 8.10.1284 (MR7)"
},
{
"status": "affected",
"version": "8.00 and prior"
}
]
}
],
"datePublic": "2021-11-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An Incomplete Comparison with Missing Factors vulnerability in the Gallagher Controller allows an attacker to bypass PIV verification. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); 8.10 versions prior to 8.10.1284 (MR7); version 8.00 and prior versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1023",
"description": "CWE-1023",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-29T16:55:25.000Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gallagher.com/Security-Advisories/CVE-2021-23146"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "disclosures@gallagher.com",
"DATE_PUBLIC": "2021-11-15T07:34:00.000Z",
"ID": "CVE-2021-23146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Command Center",
"version": {
"version_data": [
{
"version_value": "8.40 prior to 8.40.1888 (MR3)"
},
{
"version_value": "8.30 prior to 8.30.1359 (MR3)"
},
{
"version_value": "8.20 prior to 8.20.1259 (MR5)"
},
{
"version_value": "8.10 prior to 8.10.1284 (MR7)"
},
{
"version_value": "8.00 and prior"
}
]
}
}
]
},
"vendor_name": "Gallagher"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Incomplete Comparison with Missing Factors vulnerability in the Gallagher Controller allows an attacker to bypass PIV verification. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); 8.10 versions prior to 8.10.1284 (MR7); version 8.00 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1023"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.gallagher.com/Security-Advisories/CVE-2021-23146",
"refsource": "MISC",
"url": "https://security.gallagher.com/Security-Advisories/CVE-2021-23146"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2021-23146",
"datePublished": "2021-11-18T17:59:56.770Z",
"dateReserved": "2021-01-26T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:41:22.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5528 (GCVE-0-2024-5528)
Vulnerability from cvelistv5 – Published: 2025-02-05 10:31 – Updated: 2025-02-05 20:13
VLAI
Title
Incomplete Comparison with Missing Factors in GitLab
Summary
An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1023 - Incomplete Comparison with Missing Factors
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/464558 | issue-trackingpermissions-required |
| https://hackerone.com/reports/2523654 | technical-descriptionexploitpermissions-required |
| https://about.gitlab.com/releases/2024/07/10/patc… | release-notes |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5528",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T14:15:48.499691Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T20:13:11.436Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://about.gitlab.com/releases/2024/07/10/patch-release-gitlab-17-1-2-released/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "16.11.6",
"status": "affected",
"version": "0.0",
"versionType": "semver"
},
{
"lessThan": "17.0.4",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "17.1.2",
"status": "affected",
"version": "17.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks [fdeleite](https://hackerone.com/fdeleite) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1023",
"description": "CWE-1023: Incomplete Comparison with Missing Factors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T10:31:06.106Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #464558",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/464558"
},
{
"name": "HackerOne Bug Bounty Report #2523654",
"tags": [
"technical-description",
"exploit",
"permissions-required"
],
"url": "https://hackerone.com/reports/2523654"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 16.11.6, 17.0.4, 17.1.2 or above."
}
],
"title": "Incomplete Comparison with Missing Factors in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2024-5528",
"datePublished": "2025-02-05T10:31:06.106Z",
"dateReserved": "2024-05-30T11:30:38.447Z",
"dateUpdated": "2025-02-05T20:13:11.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46722 (GCVE-0-2025-46722)
Vulnerability from cvelistv5 – Published: 2025-05-29 16:36 – Updated: 2025-05-29 18:13
VLAI
Title
vLLM has a Weakness in MultiModalHasher Image Hashing Implementation
Summary
vLLM is an inference and serving engine for large language models (LLMs). In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. This issue has been patched in version 0.9.0.
Severity
4.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/vllm-project/vllm/security/adv… | x_refsource_CONFIRM |
| https://github.com/vllm-project/vllm/pull/17378 | x_refsource_MISC |
| https://github.com/vllm-project/vllm/commit/99404… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| vllm-project | vllm |
Affected:
>= 0.7.0, < 0.9.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-29T18:12:29.713264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T18:13:02.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vllm",
"vendor": "vllm-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.7.0, \u003c 0.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vLLM is an inference and serving engine for large language models (LLMs). In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image\u2019s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. This issue has been patched in version 0.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1288",
"description": "CWE-1288: Improper Validation of Consistency within Input",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1023",
"description": "CWE-1023: Incomplete Comparison with Missing Factors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T16:36:12.879Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-c65p-x677-fgj6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-c65p-x677-fgj6"
},
{
"name": "https://github.com/vllm-project/vllm/pull/17378",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vllm-project/vllm/pull/17378"
},
{
"name": "https://github.com/vllm-project/vllm/commit/99404f53c72965b41558aceb1bc2380875f5d848",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vllm-project/vllm/commit/99404f53c72965b41558aceb1bc2380875f5d848"
}
],
"source": {
"advisory": "GHSA-c65p-x677-fgj6",
"discovery": "UNKNOWN"
},
"title": "vLLM has a Weakness in MultiModalHasher Image Hashing Implementation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46722",
"datePublished": "2025-05-29T16:36:12.879Z",
"dateReserved": "2025-04-28T20:56:09.084Z",
"dateUpdated": "2025-05-29T18:13:02.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55333 (GCVE-0-2025-55333)
Vulnerability from cvelistv5 – Published: 2025-10-14 17:00 – Updated: 2026-02-22 17:24
VLAI
Title
Windows BitLocker Security Feature Bypass Vulnerability
Summary
Incomplete comparison with missing factors in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1023 - Incomplete Comparison with Missing Factors
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
18 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Windows 10 Version 1507 |
Affected:
10.0.10240.0 , < 10.0.10240.21161
(custom)
|
|
| Microsoft | Windows 10 Version 1607 |
Affected:
10.0.14393.0 , < 10.0.14393.8519
(custom)
|
|
| Microsoft | Windows 10 Version 1809 |
Affected:
10.0.17763.0 , < 10.0.17763.7919
(custom)
|
|
| Microsoft | Windows 10 Version 21H2 |
Affected:
10.0.19044.0 , < 10.0.19044.6456
(custom)
|
|
| Microsoft | Windows 10 Version 22H2 |
Affected:
10.0.19045.0 , < 10.0.19045.6456
(custom)
|
|
| Microsoft | Windows 11 version 22H2 |
Affected:
10.0.22621.0 , < 10.0.22621.6060
(custom)
|
|
| Microsoft | Windows 11 version 22H3 |
Affected:
10.0.22631.0 , < 10.0.22631.6060
(custom)
|
|
| Microsoft | Windows 11 Version 23H2 |
Affected:
10.0.22631.0 , < 10.0.22631.6060
(custom)
|
|
| Microsoft | Windows 11 Version 24H2 |
Affected:
10.0.26100.0 , < 10.0.26100.6899
(custom)
|
|
| Microsoft | Windows 11 Version 25H2 |
Affected:
10.0.26200.0 , < 10.0.26200.6899
(custom)
|
|
| Microsoft | Windows Server 2016 |
Affected:
10.0.14393.0 , < 10.0.14393.8519
(custom)
|
|
| Microsoft | Windows Server 2016 (Server Core installation) |
Affected:
10.0.14393.0 , < 10.0.14393.8519
(custom)
|
|
| Microsoft | Windows Server 2019 |
Affected:
10.0.17763.0 , < 10.0.17763.7919
(custom)
|
|
| Microsoft | Windows Server 2019 (Server Core installation) |
Affected:
10.0.17763.0 , < 10.0.17763.7919
(custom)
|
|
| Microsoft | Windows Server 2022 |
Affected:
10.0.20348.0 , < 10.0.20348.4294
(custom)
|
|
| Microsoft | Windows Server 2022, 23H2 Edition (Server Core installation) |
Affected:
10.0.25398.0 , < 10.0.25398.1913
(custom)
|
|
| Microsoft | Windows Server 2025 |
Affected:
10.0.26100.0 , < 10.0.26100.6899
(custom)
|
|
| Microsoft | Windows Server 2025 (Server Core installation) |
Affected:
10.0.26100.0 , < 10.0.26100.6899
(custom)
|
Date Public
2025-10-14 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55333",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T19:31:53.620519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T19:32:02.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Windows 10 Version 1507",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.10240.21161",
"status": "affected",
"version": "10.0.10240.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Windows 10 Version 1607",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.14393.8519",
"status": "affected",
"version": "10.0.14393.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Windows 10 Version 1809",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.17763.7919",
"status": "affected",
"version": "10.0.17763.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"32-bit Systems",
"ARM64-based Systems",
"x64-based Systems"
],
"product": "Windows 10 Version 21H2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.19044.6456",
"status": "affected",
"version": "10.0.19044.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"32-bit Systems",
"ARM64-based Systems",
"x64-based Systems"
],
"product": "Windows 10 Version 22H2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.19045.6456",
"status": "affected",
"version": "10.0.19045.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"ARM64-based Systems",
"x64-based Systems"
],
"product": "Windows 11 version 22H2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.22621.6060",
"status": "affected",
"version": "10.0.22621.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"ARM64-based Systems"
],
"product": "Windows 11 version 22H3",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.22631.6060",
"status": "affected",
"version": "10.0.22631.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Windows 11 Version 23H2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.22631.6060",
"status": "affected",
"version": "10.0.22631.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"ARM64-based Systems",
"x64-based Systems"
],
"product": "Windows 11 Version 24H2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.26100.6899",
"status": "affected",
"version": "10.0.26100.0",
"versionType": "custom"
}
]
},
{
"product": "Windows 11 Version 25H2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.26200.6899",
"status": "affected",
"version": "10.0.26200.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Windows Server 2016",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.14393.8519",
"status": "affected",
"version": "10.0.14393.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Windows Server 2016 (Server Core installation)",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.14393.8519",
"status": "affected",
"version": "10.0.14393.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Windows Server 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.17763.7919",
"status": "affected",
"version": "10.0.17763.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Windows Server 2019 (Server Core installation)",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.17763.7919",
"status": "affected",
"version": "10.0.17763.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Windows Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.20348.4294",
"status": "affected",
"version": "10.0.20348.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Windows Server 2022, 23H2 Edition (Server Core installation)",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.25398.1913",
"status": "affected",
"version": "10.0.25398.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Windows Server 2025",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.26100.6899",
"status": "affected",
"version": "10.0.26100.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Windows Server 2025 (Server Core installation)",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.26100.6899",
"status": "affected",
"version": "10.0.26100.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_11_2H2:*:*:*:*:*:*:x64:*",
"versionEndExcluding": "10.0.26200.6899",
"versionStartIncluding": "10.0.26200.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*",
"versionEndExcluding": "10.0.17763.7919",
"versionStartIncluding": "10.0.17763.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.17763.7919",
"versionStartIncluding": "10.0.17763.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.17763.7919",
"versionStartIncluding": "10.0.17763.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.20348.4294",
"versionStartIncluding": "10.0.20348.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*",
"versionEndExcluding": "10.0.19044.6456",
"versionStartIncluding": "10.0.19044.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_22H2:*:*:*:*:*:*:arm64:*",
"versionEndExcluding": "10.0.22621.6060",
"versionStartIncluding": "10.0.22621.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*",
"versionEndExcluding": "10.0.19045.6456",
"versionStartIncluding": "10.0.19045.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.26100.6899",
"versionStartIncluding": "10.0.26100.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*",
"versionEndExcluding": "10.0.22631.6060",
"versionStartIncluding": "10.0.22631.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*",
"versionEndExcluding": "10.0.22631.6060",
"versionStartIncluding": "10.0.22631.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.25398.1913",
"versionStartIncluding": "10.0.25398.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*",
"versionEndExcluding": "10.0.26100.6899",
"versionStartIncluding": "10.0.26100.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.26100.6899",
"versionStartIncluding": "10.0.26100.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:*",
"versionEndExcluding": "10.0.10240.21161",
"versionStartIncluding": "10.0.10240.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*",
"versionEndExcluding": "10.0.14393.8519",
"versionStartIncluding": "10.0.14393.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.14393.8519",
"versionStartIncluding": "10.0.14393.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.14393.8519",
"versionStartIncluding": "10.0.14393.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-10-14T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Incomplete comparison with missing factors in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1023",
"description": "CWE-1023: Incomplete Comparison with Missing Factors",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-22T17:24:16.715Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Windows BitLocker Security Feature Bypass Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55333"
}
],
"title": "Windows BitLocker Security Feature Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-55333",
"datePublished": "2025-10-14T17:00:13.952Z",
"dateReserved": "2025-08-12T20:19:59.424Z",
"dateUpdated": "2026-02-22T17:24:16.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62000 (GCVE-0-2025-62000)
Vulnerability from cvelistv5 – Published: 2025-12-18 20:32 – Updated: 2026-01-15 19:50
VLAI
Title
BullWall Ransomware Containment incomplete file inspection
Summary
BullWall Ransomware Containment may not always detect an encrypted file. This issue affects a specific file inspection method that evaluates file content based on header bytes. An authenticated attacker could encrypt files, preserving the first four bytes and preventing this particular method from triggering. The affected product implements additional integrity-based detection mechanisms capable of identifying file corruption or encryption for some common file extensions independent of header bytes. As a result, this vulnerability does not represent a complete bypass of ransomware detection, but a limitation of one detection method when evaluated independently. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 are affected. Other versions may also be affected. BullWall plans to improve detection method documentation.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1023 - Incomplete Comparison with Missing Factors
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://raw.githubusercontent.com/cisagov/CSAF/de… | government-resourcethird-party-advisory |
| https://www.cve.org/CVERecord?id=CVE-2025-62000 | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BullWall | Ransomware Containment |
Affected:
4.6.0.0 , < *
(custom)
|
Date Public
2025-12-18 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62000",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T20:39:27.999740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T20:39:37.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Ransomware Containment",
"vendor": "BullWall",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "4.6.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alexander Nikolaj Fischer"
}
],
"datePublic": "2025-12-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "BullWall Ransomware Containment may not always detect an encrypted file. This issue affects a specific file inspection method that evaluates file content based on header bytes. An authenticated attacker could encrypt files, preserving the first four bytes and preventing this particular method from triggering. The affected product implements additional integrity-based detection mechanisms capable of identifying file corruption or encryption for some common file extensions independent of header bytes. As a result, this vulnerability does not represent a complete bypass of ransomware detection, but a limitation of one detection method when evaluated independently. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 are affected. Other versions may also be affected. BullWall plans to improve detection method documentation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
},
{
"other": {
"content": {
"id": "CVE-2025-62000",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T19:55:52.454192Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1023",
"description": "CWE-1023 Incomplete Comparison with Missing Factors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T19:50:39.114Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"tags": [
"government-resource",
"third-party-advisory"
],
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-352-01.json"
},
{
"name": "url",
"tags": [
"vdb-entry"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62000"
}
],
"title": "BullWall Ransomware Containment incomplete file inspection"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2025-62000",
"datePublished": "2025-12-18T20:32:02.910Z",
"dateReserved": "2025-10-07T14:33:04.481Z",
"dateUpdated": "2026-01-15T19:50:39.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4748 (GCVE-0-2026-4748)
Vulnerability from cvelistv5 – Published: 2026-04-01 06:18 – Updated: 2026-04-01 14:56
VLAI
Title
pf silently ignores certain rules
Summary
A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected.
Some keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant.
Affected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-03-26 05:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T14:55:44.105033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:56:02.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"pf"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p5",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p1",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p10",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Gmelin"
}
],
"datePublic": "2026-03-26T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected.\n\nSome keywords representing actions taken on a packet-matching rule, such as \u0027log\u0027, \u0027return tll\u0027, or \u0027dnpipe\u0027, may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant.\n\nAffected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-480",
"description": "CWE-480: Use of Incorrect Operator",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-1023",
"description": "CWE-1023: Incomplete Comparison with Missing Factors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T06:18:52.097Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:09.pf.asc"
}
],
"title": "pf silently ignores certain rules",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-4748",
"datePublished": "2026-04-01T06:18:52.097Z",
"dateReserved": "2026-03-24T04:14:17.566Z",
"dateUpdated": "2026-04-01T14:56:02.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48587 (GCVE-0-2026-48587)
Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:47
VLAI
Title
Potential exposure of private data via whitespace padding in Vary header
Summary
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Navid Rezazadeh for reporting this issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1023 - Incomplete Comparison with Missing Factors
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://docs.djangoproject.com/en/dev/releases/se… | vendor-advisory |
| https://groups.google.com/g/django-announce | mailing-list |
| https://www.djangoproject.com/weblog/2026/jun/03/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| djangoproject | Django |
Affected:
6.0 , < 6.0.6
(python)
Unaffected: 6.0.6 (python) Affected: 5.2 , < 5.2.15 (python) Unaffected: 5.2.15 (python) |
Date Public
2026-06-03 08:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48587",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T15:47:33.121791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:47:55.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/Django/",
"defaultStatus": "unaffected",
"packageName": "django",
"product": "Django",
"repo": "https://github.com/django/django/",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "6.0.6",
"status": "affected",
"version": "6.0",
"versionType": "python"
},
{
"status": "unaffected",
"version": "6.0.6",
"versionType": "python"
},
{
"lessThan": "5.2.15",
"status": "affected",
"version": "5.2",
"versionType": "python"
},
{
"status": "unaffected",
"version": "5.2.15",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Navid Rezazadeh"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jake Howard"
},
{
"lang": "en",
"type": "coordinator",
"value": "Natalia Bidart"
}
],
"datePublic": "2026-06-03T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.utils.cache.has_vary_header()\u003c/code\u003e in Django does not strip leading or trailing whitespace from \u003ccode\u003eVary\u003c/code\u003e response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Navid Rezazadeh for reporting this issue.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Navid Rezazadeh for reporting this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-204",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
"value": "low"
},
"type": "Django severity rating"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1023",
"description": "CWE-1023: Incomplete Comparison with Missing Factors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T13:16:47.811Z",
"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"shortName": "DSF"
},
"references": [
{
"name": "Django security archive",
"tags": [
"vendor-advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "Django releases announcements",
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"name": "Django security releases issued: 6.0.6 and 5.2.15",
"tags": [
"vendor-advisory"
],
"url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-11T00:00:00.000Z",
"value": "Initial report received."
},
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Vulnerability confirmed."
},
{
"lang": "en",
"time": "2026-06-03T08:00:00.000Z",
"value": "Security release issued."
}
],
"title": "Potential exposure of private data via whitespace padding in Vary header",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"assignerShortName": "DSF",
"cveId": "CVE-2026-48587",
"datePublished": "2026-06-03T13:16:47.811Z",
"dateReserved": "2026-05-21T20:50:32.465Z",
"dateUpdated": "2026-06-03T15:47:55.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7473 (GCVE-0-2026-7473)
Vulnerability from cvelistv5 – Published: 2026-06-05 16:22 – Updated: 2026-06-05 16:22
VLAI
Title
Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass
Summary
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.
This issue has been reported as being exploited in the wild.
Severity
5.8 (Medium)
CWE
- CWE-1023 - Incomplete Comparison with Missing Factors
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.arista.com/en/support/advisories-noti… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arista Networks | EOS |
Affected:
4.36.0
(custom)
Affected: 4.35.0 , ≤ 4.35 (custom) Affected: 4.34.0 , ≤ 4.34 (custom) Affected: 4.33.0 , ≤ 4.33 (custom) Affected: 4.32.0 , ≤ 4.32 (custom) Affected: 4.31.0 , ≤ 4.31 (custom) Affected: * , ≤ 4.30 (custom) |
Date Public
2026-05-05 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"7020R Series",
"7280R/R2 Series",
"7500R/R2 Series",
"7280R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)",
"7500R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)",
"7800R3 Series (Limited exposure: IP-in-IPv6 and GUEv6)"
],
"product": "EOS",
"vendor": "Arista Networks",
"versions": [
{
"status": "affected",
"version": "4.36.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.35",
"status": "affected",
"version": "4.35.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.34",
"status": "affected",
"version": "4.34.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.33",
"status": "affected",
"version": "4.33.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.32",
"status": "affected",
"version": "4.32.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31",
"status": "affected",
"version": "4.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2026-7473, the following condition must be met:\u003c/p\u003e\u003cp\u003eThe device must be configured as a tunnel endpoint with a decapsulation IP \u2014 for example, as a VXLAN VTEP, a GRE tunnel endpoint, or with an ip decap-group.\u003c/p\u003e\u003cp\u003eA device configured to decapsulate one tunnel type will also incorrectly accept and decapsulate other tunnel protocols destined to the same IP address, even if those protocols were not explicitly configured. The following table summarizes which additional tunnel types a device will decapsulate based on its configured decapsulation type (note that some cases require extra protocol specific configurations for traffic to be decapsulated). Note that in all cases the inner header could be IPv4 or IPv6.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eNote on Platforms:\u003c/b\u003e\u003c/div\u003e\u003cul\u003e\u003cli\u003eAll scenarios below apply to 7020R Series, 7280R/R2 Series, and 7500R/R2 Series.\u003c/li\u003e\u003cli\u003eOnly the IP-in-IPv6 and GUE IPV6 Decap Group scenarios apply to 7280R3 Series, 7500R3 Series, and 7800R3 Series.\u003c/li\u003e\u003c/ul\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003cth\u003eConfigured decapsulation tunnel type\u003c/th\u003e\u003cth\u003eUnexpected decapsulation of tunnel type traffic to configured decap IP\u003c/th\u003e\u003cth\u003eAdditional configurations required for exploitation\u003c/th\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"2\"\u003eVXLAN IPv4 Tunnel Interface\u003c/td\u003e\u003ctd\u003eGRE, IPoIP\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNVGRE\u003c/td\u003e\u003ctd\u003eTNI in NVGRE packet must match a VXLAN VNI configured on switch\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"3\"\u003eGRE IPv4 Tunnel Interface\u003c/td\u003e\u003ctd\u003eVXLAN\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) and VNI mapping must be configured\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGeneric UDP Encapsulation (GUE)\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured. Both source and destination IP must match GRE tunnel configuration.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIPoIP\u003c/td\u003e\u003ctd\u003eBoth source and destination IP must match GRE tunnel configuration.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"4\"\u003eGRE IPv4 Decap Group\u003c/td\u003e\u003ctd\u003eIPoIP\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVXLAN\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) and VNI mapping must be configured\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNVGRE\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VXLAN VNI configured on switch.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE IPv4 Decap Group\u003c/td\u003e\u003ctd\u003eGRE, IPoIP\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"4\"\u003eIP-in-IPv4 Decap Group\u003c/td\u003e\u003ctd\u003eGRE\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNVGRE\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VNI configured on switch.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVXLAN\u003c/td\u003e\u003ctd\u003eVXLAN Tunnel Interface (VTI) and VNI mapping must be configured\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd rowspan=\"2\"\u003eIP-in-IPv6 Decap Group\u003c/td\u003e\u003ctd\u003eGREv6\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUEv6\u003c/td\u003e\u003ctd\u003eGUE Decap Group and relevant UDP destination port to payload mapping must be configured.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGUE IPv6 Decap Group\u003c/td\u003e\u003ctd\u003eIP-in-IPv6, GREv6\u003c/td\u003e\u003ctd\u003eNone\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "In order to be vulnerable to CVE-2026-7473, the following condition must be met:\n\n\n\nThe device must be configured as a tunnel endpoint with a decapsulation IP \u2014 for example, as a VXLAN VTEP, a GRE tunnel endpoint, or with an ip decap-group.\n\n\n\nA device configured to decapsulate one tunnel type will also incorrectly accept and decapsulate other tunnel protocols destined to the same IP address, even if those protocols were not explicitly configured. The following table summarizes which additional tunnel types a device will decapsulate based on its configured decapsulation type (note that some cases require extra protocol specific configurations for traffic to be decapsulated). Note that in all cases the inner header could be IPv4 or IPv6.\n\nNote on Platforms:\n\n * All scenarios below apply to 7020R Series, 7280R/R2 Series, and 7500R/R2 Series.\n * Only the IP-in-IPv6 and GUE IPV6 Decap Group scenarios apply to 7280R3 Series, 7500R3 Series, and 7800R3 Series.\n\n\nConfigured decapsulation tunnel typeUnexpected decapsulation of tunnel type traffic to configured decap IPAdditional configurations required for exploitationVXLAN IPv4 Tunnel InterfaceGRE, IPoIPNoneNVGRETNI in NVGRE packet must match a VXLAN VNI configured on switchGRE IPv4 Tunnel InterfaceVXLANVXLAN Tunnel Interface (VTI) and VNI mapping must be configuredGeneric UDP Encapsulation (GUE)GUE Decap Group and relevant UDP destination port to payload mapping must be configured. Both source and destination IP must match GRE tunnel configuration.IPoIPBoth source and destination IP must match GRE tunnel configuration.GRE IPv4 Decap GroupIPoIPNoneVXLANVXLAN Tunnel Interface (VTI) and VNI mapping must be configuredGUEGUE Decap Group and relevant UDP destination port to payload mapping must be configured.NVGREVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VXLAN VNI configured on switch.GUE IPv4 Decap GroupGRE, IPoIPNoneIP-in-IPv4 Decap GroupGRENoneNVGREVXLAN Tunnel Interface (VTI) must be configured. TNI in NVGRE packet must match a VNI configured on switch.VXLANVXLAN Tunnel Interface (VTI) and VNI mapping must be configuredGUEGUE Decap Group and relevant UDP destination port to payload mapping must be configured.IP-in-IPv6 Decap GroupGREv6NoneGUEv6GUE Decap Group and relevant UDP destination port to payload mapping must be configured.GUE IPv6 Decap GroupIP-in-IPv6, GREv6None"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo check if the device is acting as a VXLAN VTEP:\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show interfaces vxlan 1\n\u0026nbsp;Vxlan1 is up, line protocol is up (connected)\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Source interface is Loopback1 and is active with 10.0.0.1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Listening on UDP port 4789\n\u0026nbsp;\u0026nbsp;\u0026nbsp;...\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf the output contains \u201c\u003cb\u003eSource interface is \u0026lt;interface\u0026gt; and is active with \u0026lt;IP\u0026gt;\u003c/b\u003e\u201d, the device is acting as a VXLAN VTEP with \u0026lt;IP\u0026gt; as the tunnel termination address, and is potentially impacted.\u003c/p\u003e\u003cp\u003eTo check if a GRE tunnel interface is configured:\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show interfaces Tunnel0\n\u0026nbsp;Tunnel0 is up, line protocol is up\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Hardware is Tunnel\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Tunnel source 1.1.1.1, destination 1.1.1.2\n\u0026nbsp;\u0026nbsp;\u0026nbsp;Tunnel protocol/transport GRE/IP\n\u0026nbsp;\u0026nbsp;\u0026nbsp;...\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf the tunnel interface is up with a source and destination, the device is a GRE tunnel endpoint and is potentially impacted.\u003c/p\u003e\u003cp\u003eTo check if decap-groups are configured:\u003c/p\u003e\u003cpre\u003eswitch\u0026gt;show ip decap-group\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf none of the above outputs show the presence of any tunnel endpoint configurations, the device does not perform tunnel decapsulation and is not exposed to this issue.\u003c/p\u003e"
}
],
"value": "To check if the device is acting as a VXLAN VTEP:\n\n\n\nswitch\u003eshow interfaces vxlan 1\n\u00a0Vxlan1 is up, line protocol is up (connected)\n\u00a0\u00a0\u00a0Source interface is Loopback1 and is active with 10.0.0.1\n\u00a0\u00a0\u00a0Listening on UDP port 4789\n\u00a0\u00a0\u00a0...\n\n\n\u00a0\n\n\n\nIf the output contains \u201cSource interface is \u003cinterface\u003e and is active with \u003cIP\u003e\u201d, the device is acting as a VXLAN VTEP with \u003cIP\u003e as the tunnel termination address, and is potentially impacted.\n\n\n\nTo check if a GRE tunnel interface is configured:\n\n\n\nswitch\u003eshow interfaces Tunnel0\n\u00a0Tunnel0 is up, line protocol is up\n\u00a0\u00a0\u00a0Hardware is Tunnel\n\u00a0\u00a0\u00a0Tunnel source 1.1.1.1, destination 1.1.1.2\n\u00a0\u00a0\u00a0Tunnel protocol/transport GRE/IP\n\u00a0\u00a0\u00a0...\n\n\n\u00a0\n\n\n\nIf the tunnel interface is up with a source and destination, the device is a GRE tunnel endpoint and is potentially impacted.\n\n\n\nTo check if decap-groups are configured:\n\n\n\nswitch\u003eshow ip decap-group\n\n\n\u00a0\n\n\n\nIf none of the above outputs show the presence of any tunnel endpoint configurations, the device does not perform tunnel decapsulation and is not exposed to this issue."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis at Comcast"
}
],
"datePublic": "2026-05-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn affected platforms running Arista EOS where a tunnel decapsulation configuration\u2014such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface\u2014is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.\u003c/p\u003e\u003cp\u003eThis issue has been reported as being exploited in the wild.\u003c/p\u003e"
}
],
"value": "On affected platforms running Arista EOS where a tunnel decapsulation configuration\u2014such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface\u2014is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.\n\n\n\nThis issue has been reported as being exploited in the wild."
}
],
"impacts": [
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272 Protocol Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1023",
"description": "CWE-1023: Incomplete Comparison with Missing Factors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T16:22:47.989Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22872-security-advisory-0137"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eNo software upgrade path is planned to address this issue due to the risk of breaking existing configuration on deployments. The recommended resolution of this issue is to follow the appropriate mitigation instructions detailed in the workaround block.\u003c/p\u003e"
}
],
"value": "No software upgrade path is planned to address this issue due to the risk of breaking existing configuration on deployments. The recommended resolution of this issue is to follow the appropriate mitigation instructions detailed in the workaround block."
}
],
"source": {
"advisory": "0137",
"defect": [
"BUG1086442",
"BUG1519884"
],
"discovery": "EXTERNAL"
},
"title": "Arista EOS Unexpected Tunnel Protocol Decapsulation and Forwarding Bypass",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere are two broad approaches to mitigate this issue - (1) applying ACLs on upstream devices or (2) applying ACLs on the devices where the unexpected decapsulation is happening. In both cases, the idea is to either selectively allow only legitimate tunnel traffic or to selectively block malicious tunnel traffic. For example, if a network is configured to forward VXLAN traffic, but GRE traffic is being unexpectedly forwarded, then ACLs can be used to either selectively allow just VXLAN traffic or selectively block GRE traffic. More details about using the ACL feature can be found in the\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-acls-and-route-maps#xx1150869\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eArista User Manual\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eA note of caution, the following ACL-based mitigation recommendations assume that the tunnel IP is dedicated solely to receiving the configured tunnel protocol traffic. When adapting these rules for your environment, it is important to explicitly permit any additional protocol traffic\u2014such as BGP or SSH\u2014if that IP serves multiple functions. To maintain connectivity, ensure these permit statements are sequenced before any deny statements directed at the decapsulation IP.\u003c/p\u003e\u003cp\u003eThe following configurations align with the recommendations outlined in the\u0026nbsp;\u003ca href=\"https://arista.my.site.com/AristaCommunity/s/article/arista-eos-hardening-guide#Comm_Kna_ka0Uw00000097VJIAY_71\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eArista EOS Hardening Guide\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "There are two broad approaches to mitigate this issue - (1) applying ACLs on upstream devices or (2) applying ACLs on the devices where the unexpected decapsulation is happening. In both cases, the idea is to either selectively allow only legitimate tunnel traffic or to selectively block malicious tunnel traffic. For example, if a network is configured to forward VXLAN traffic, but GRE traffic is being unexpectedly forwarded, then ACLs can be used to either selectively allow just VXLAN traffic or selectively block GRE traffic. More details about using the ACL feature can be found in the\u00a0 Arista User Manual https://www.arista.com/en/um-eos/eos-acls-and-route-maps#xx1150869 .\n\n\n\nA note of caution, the following ACL-based mitigation recommendations assume that the tunnel IP is dedicated solely to receiving the configured tunnel protocol traffic. When adapting these rules for your environment, it is important to explicitly permit any additional protocol traffic\u2014such as BGP or SSH\u2014if that IP serves multiple functions. To maintain connectivity, ensure these permit statements are sequenced before any deny statements directed at the decapsulation IP.\n\n\n\nThe following configurations align with the recommendations outlined in the\u00a0 Arista EOS Hardening Guide https://arista.my.site.com/AristaCommunity/s/article/arista-eos-hardening-guide#Comm_Kna_ka0Uw00000097VJIAY_71 ."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eApproach 1 - Applying ACL on Upstream Switches\u003c/h3\u003e\u003cp\u003eOn upstream devices, applying ACLs to allow specific tunneled traffic is straightforward. ACLs can be applied that match on tunnel destination IP, the IP next protocol field, and (optionally) UDP destination port to selectively allow or block specific tunnel protocols.\u003c/p\u003e\u003cp\u003eExample ACLs for Arista EOS follows.\u003c/p\u003eACL to permit VXLANv4 Only\u003cp\u003eThis IPv4 ACL matches on VXLAN packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (17)\u003cbr\u003e(b) IP DIP = VXLAN VTEP IP\u003cbr\u003e(c) UDP destination port = VXLAN UDP Port (4789)\u003c/p\u003e\u003cp\u003eIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;vxlan-decap-ip\u0026gt; eq 4789\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny ip any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit ip any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GREv4 Only\u003cp\u003eThis IPv4 ACL matches on GRE packets as follows:\u003cbr\u003e(a) IP next protocol = GRE (47)\u003cbr\u003e(b) IP DIP = GRE Tunnel Destination IP\u003c/p\u003e\u003cp\u003eIt allows GRE packets and drops all other packets to the GRE Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit gre any host \u0026lt;gre-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny ip any host \u0026lt;gre-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit IP-in-IPv4 Only\u003cp\u003eThis IPv4 ACL matches on IP-in-IPv4 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP\u003c/p\u003e\u003cp\u003eIt allows IP-in-IPv4 packets and drops all other packets to the IP-in-IPv4 Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit 4 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit 41 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ip any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to Permit IP-in-IPv6 Only\u003cp\u003eThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP\u003c/p\u003e\u003cp\u003eIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit 4 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit 41 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;ipip-decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GUEv4 Only\u003cp\u003eThis IPv4 ACL matches on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (17)\u003cbr\u003e(b) IP DIP = GUE Decap IP\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; \u0026nbsp;\u0026nbsp;\u0026nbsp;(IP = Y or MPLS = Z)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003eip access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;decap-ip\u0026gt; eq Y\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit udp any host \u0026lt;decap-ip\u0026gt; eq Z\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ip any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ip any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to Permit GUEv6 Only\u003cp\u003eThis IPv6 ACL matches on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (17)\u003cbr\u003e(b) IP DIP = GUE Decap IP\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; (IP = Y or MPLS = Z)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;decap-ip\u0026gt; eq Y\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit udp any host \u0026lt;decap-ip\u0026gt; eq Z\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\u003c/pre\u003e"
}
],
"value": "Approach 1 - Applying ACL on Upstream Switches\n\nOn upstream devices, applying ACLs to allow specific tunneled traffic is straightforward. ACLs can be applied that match on tunnel destination IP, the IP next protocol field, and (optionally) UDP destination port to selectively allow or block specific tunnel protocols.\n\n\n\nExample ACLs for Arista EOS follows.\n\nACL to permit VXLANv4 Only\n\nThis IPv4 ACL matches on VXLAN packets as follows:\n(a) IP next protocol = UDP (17)\n(b) IP DIP = VXLAN VTEP IP\n(c) UDP destination port = VXLAN UDP Port (4789)\n\n\n\nIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cvxlan-decap-ip\u003e eq 4789\n\u00a0\u00a0\u00a02 deny ip any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a03 permit ip any any\n\n\n\u00a0\n\nACL to permit GREv4 Only\n\nThis IPv4 ACL matches on GRE packets as follows:\n(a) IP next protocol = GRE (47)\n(b) IP DIP = GRE Tunnel Destination IP\n\n\n\nIt allows GRE packets and drops all other packets to the GRE Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit gre any host \u003cgre-decap-ip\u003e\n\u00a0\u00a0\u00a02 deny ip any host \u003cgre-decap-ip\u003e\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nACL to permit IP-in-IPv4 Only\n\nThis IPv4 ACL matches on IP-in-IPv4 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IP DIP = IP-in-IP Decap IP\n\n\n\nIt allows IP-in-IPv4 packets and drops all other packets to the IP-in-IPv4 Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit 4 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a02 permit 41 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a03 deny ip any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\nACL to Permit IP-in-IPv6 Only\n\nThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IP DIP = IP-in-IP Decap IP\n\n\n\nIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit 4 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a02 permit 41 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cipip-decap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any\n\n\n\u00a0\n\nACL to permit GUEv4 Only\n\nThis IPv4 ACL matches on GUE packets as follows:\n(a) IP next protocol = UDP (17)\n(b) IP DIP = GUE Decap IP\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0(IP = Y or MPLS = Z)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nip access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cdecap-ip\u003e eq Y\n\u00a0\u00a0\u00a02 permit udp any host \u003cdecap-ip\u003e eq Z\n\u00a0\u00a0\u00a03 deny ip any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ip any any\n\n\n\u00a0\n\nACL to Permit GUEv6 Only\n\nThis IPv6 ACL matches on GUE packets as follows:\n(a) IP next protocol = UDP (17)\n(b) IP DIP = GUE Decap IP\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (IP = Y or MPLS = Z)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cdecap-ip\u003e eq Y\n\u00a0\u00a0\u00a02 permit udp any host \u003cdecap-ip\u003e eq Z\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eApproach 2 - Applying ACL on Decapsulation Switches\u003c/h3\u003e\u003cp\u003eApplying ACLs on the decapsulation device is more complicated. It requires the use of MAC ACLs on 7020R Series, 7280R/R2 Series, and 7500R/R2 Series systems and IP ACLs on 7280R3 Series, 7500R3 Series, and 7800R3 Series systems. In both cases, a TCAM profile update is also required. Note that TCAM profile update is a disruptive operation that could impact traffic forwarding. More information can be found in\u0026nbsp;\u003ca href=\"https://www.arista.com/en/support/toi/eos-4-26-0f/14755-user-defined-tcam-profiles\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eUser-defined TCAM Profiles\u003c/a\u003e.\u003c/p\u003e7020R Series, 7280R/R2 Series, and 7500R/R2 Series\u003cp\u003eMitigation involves using MAC ACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. The suggested MAC ACLs use User Defined Fields (UDFs) to match on specific fields in the packet headers. This requires a TCAM profile update to include the following UDF qualifiers:\u003c/p\u003e\u003col\u003e\u003cli\u003eFor IPv4 tunnels, 2 16b and 1 32b UDF qualifiers need to be included.\u003c/li\u003e\u003cli\u003eFor IPv6 tunnels, 2 16b and 4 32b UDF qualifiers need to be included.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eHowever, in order to make room for the UDF qualifiers, other TCAM features/qualifiers must be removed due to hardware constraints. Following are some suggested TCAM profile changes to accommodate the required UDF qualifiers:\u003c/p\u003e\u003col\u003e\u003cli\u003eTCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for MPLS:\u003cbr\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test copy default\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key size limit\u0026nbsp;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;key field udf-16b-1 udf-16b-2 udf-32b-1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature mpls pop ingress\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature pbr mpls\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eTCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for VXLAN:\u003cbr\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test copy default\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key field src-mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;key field udf-16b-1 udf-16b-2 udf-32b-1\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eTCAM profile that includes the UDF qualifiers for IPv6 tunnels, but removes support for VXLAN and PBR:\u003cbr\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test1 copy default\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key size limit\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no key field src-mac dst-mac\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;key field udf-16b-1 udf-16b-2 udf-32b-1 udf-32b-2 udf-32b-3 udf-32b-4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature tunnel vxlan\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature tunnel vxlan routing\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature pbr ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;no feature pbr ipv6\n\u003c/pre\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003ePlease contact Arista TAC if further assistance is needed with TCAM profile construction.\u003c/p\u003e"
}
],
"value": "Approach 2 - Applying ACL on Decapsulation Switches\n\nApplying ACLs on the decapsulation device is more complicated. It requires the use of MAC ACLs on 7020R Series, 7280R/R2 Series, and 7500R/R2 Series systems and IP ACLs on 7280R3 Series, 7500R3 Series, and 7800R3 Series systems. In both cases, a TCAM profile update is also required. Note that TCAM profile update is a disruptive operation that could impact traffic forwarding. More information can be found in\u00a0 User-defined TCAM Profiles https://www.arista.com/en/support/toi/eos-4-26-0f/14755-user-defined-tcam-profiles .\n\n7020R Series, 7280R/R2 Series, and 7500R/R2 Series\n\nMitigation involves using MAC ACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. The suggested MAC ACLs use User Defined Fields (UDFs) to match on specific fields in the packet headers. This requires a TCAM profile update to include the following UDF qualifiers:\n\n * For IPv4 tunnels, 2 16b and 1 32b UDF qualifiers need to be included.\n * For IPv6 tunnels, 2 16b and 4 32b UDF qualifiers need to be included.\n\n\nHowever, in order to make room for the UDF qualifiers, other TCAM features/qualifiers must be removed due to hardware constraints. Following are some suggested TCAM profile changes to accommodate the required UDF qualifiers:\n\n * TCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for MPLS:\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test copy default\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key size limit\u00a0\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0key field udf-16b-1 udf-16b-2 udf-32b-1\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature mpls\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature mpls pop ingress\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature pbr mpls\n\n\n\u00a0\n\n\u00a0\n * TCAM profile that includes the UDF qualifiers for IPv4 tunnels, but removes support for VXLAN:\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test copy default\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key field src-mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0key field udf-16b-1 udf-16b-2 udf-32b-1\n\n\n\u00a0\n\n\u00a0\u00a0\n * TCAM profile that includes the UDF qualifiers for IPv6 tunnels, but removes support for VXLAN and PBR:\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test1 copy default\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key size limit\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no key field src-mac dst-mac\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0key field udf-16b-1 udf-16b-2 udf-32b-1 udf-32b-2 udf-32b-3 udf-32b-4\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature tunnel vxlan\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature tunnel vxlan routing\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature pbr ip\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0no feature pbr ipv6\n\n\n\n\u00a0\n\n\n\nPlease contact Arista TAC if further assistance is needed with TCAM profile construction."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ACL to permit VXLAN v4 Decap only\u003cp\u003eThis MAC ACL uses UDF to match on VXLAN packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IP DIP = VXLAN VTEP IP (say 0xXXXXXXXX - converted in hex)\u003cbr\u003e(c) UDP destination port = VXLAN UDP Port (0x12b5)\u003c/p\u003e\u003cp\u003eIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\nmac access-list payload alias udp-dport-vxlan offset 5 pattern 0x000012b5 mask 0xffff0000\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-vxlan\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GREv4 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on GRE packets as follows:\u003cbr\u003e(a) IP next protocol = GRE (0x2f)\u003cbr\u003e(b) IP DIP = GRE Decap IP (say 0xXXXXXXXX - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows GRE packets and drops all other packets to the GRE Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-gre offset 2 pattern 0x002f0000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf needed, the ACL can also be tweaked to match on specific GRE payloads as follows:\u003c/p\u003e\u003ci\u003eIPv4oGRE\u003c/i\u003e\u003cp\u003eACL also matches on GRE next protocol = IPv4 (0x0800)\u003c/p\u003e\u003cpre\u003emac access-list payload alias gre-protocol-ipv4 offset 5 pattern 0x00000800 mask 0xffff0000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003ci\u003eIPv6oGRE\u003c/i\u003e\u003cp\u003eACL also matches on GRE next protocol = IPv6 (0x86dd)\u003c/p\u003e\u003cpre\u003emac access-list payload alias gre-protocol-ipv6 offset 5 pattern 0x000086dd mask 0xffff0000\nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv6\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003ci\u003eMPLSoGRE\u003c/i\u003e\u003cp\u003eACL also matches on GRE next protocol = MPLS (0x8847)\u003c/p\u003e\u003cpre\u003emac access-list payload alias gre-protocol-mpls offset 5 pattern 0x00008847 mask 0xffff0000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 permit any any\u003c/pre\u003e"
}
],
"value": "ACL to permit VXLAN v4 Decap only\n\nThis MAC ACL uses UDF to match on VXLAN packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IP DIP = VXLAN VTEP IP (say 0xXXXXXXXX - converted in hex)\n(c) UDP destination port = VXLAN UDP Port (0x12b5)\n\n\n\nIt allows VXLAN packets and drops all other packets to the VXLAN Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n\u00a0\u00a0\u00a0\u00a0\nmac access-list payload alias udp-dport-vxlan offset 5 pattern 0x000012b5 mask 0xffff0000\n\u00a0\u00a0\u00a0\u00a0\nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-vxlan\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nACL to permit GREv4 Decap Only\n\nThis MAC ACL uses UDF to match on GRE packets as follows:\n(a) IP next protocol = GRE (0x2f)\n(b) IP DIP = GRE Decap IP (say 0xXXXXXXXX - converted in hex)\n\n\n\nIt allows GRE packets and drops all other packets to the GRE Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-gre offset 2 pattern 0x002f0000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\n\n\nIf needed, the ACL can also be tweaked to match on specific GRE payloads as follows:\n\nIPv4oGRE\n\nACL also matches on GRE next protocol = IPv4 (0x0800)\n\n\n\nmac access-list payload alias gre-protocol-ipv4 offset 5 pattern 0x00000800 mask 0xffff0000\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv4\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nIPv6oGRE\n\nACL also matches on GRE next protocol = IPv6 (0x86dd)\n\n\n\nmac access-list payload alias gre-protocol-ipv6 offset 5 pattern 0x000086dd mask 0xffff0000\nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-ipv6\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any\n\n\n\u00a0\n\nMPLSoGRE\n\nACL also matches on GRE next protocol = MPLS (0x8847)\n\n\n\nmac access-list payload alias gre-protocol-mpls offset 5 pattern 0x00008847 mask 0xffff0000\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-gre alias ip-dip-decap-ip alias gre-protocol-mpls\n\u00a0\u00a0\u00a02 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 permit any any"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ACL to permit IP-in-IPv4 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on IP-in-IP packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (0x04) or IPv6 (0x29)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP (say 0xXXXXXXXX - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-ipv4 offset 2 pattern 0x00040000 mask 0xff00ffff\n \nmac access-list payload alias ip-next-protocol-ipv6 offset 2 pattern 0x00290000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-ipv4 alias ip-dip-decap-ip\u0026nbsp;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ip payload alias ip-next-protocol-ipv6 alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GUEv4 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IP DIP = GUE Decap IP (say 0xXXXXXXXX - converted in hex)\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;(say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list payload alias udp-dport-gue-ip offset 5 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 5 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ip payload alias ip-dip-decap-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to permit GUEv6 Decap Only\u003cp\u003eThis MAC ACL uses UDF to match on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IPv6 DIP = GUE Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; (say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ipv6-next-protocol-udp offset 1 pattern 0x00001100 mask 0xffff00ff\n \nmac access-list payload alias udp-dport-gue-ip offset 10 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 10 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-ip\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-mpls\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\u003c/pre\u003e"
}
],
"value": "ACL to permit IP-in-IPv4 Decap Only\n\nThis MAC ACL uses UDF to match on IP-in-IP packets as follows:\n(a) IP next protocol = IPv4 (0x04) or IPv6 (0x29)\n(b) IP DIP = IP-in-IP Decap IP (say 0xXXXXXXXX - converted in hex)\n\n\n\nIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-ipv4 offset 2 pattern 0x00040000 mask 0xff00ffff\n \nmac access-list payload alias ip-next-protocol-ipv6 offset 2 pattern 0x00290000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-ipv4 alias ip-dip-decap-ip\u00a0\n\u00a0\u00a0\u00a02 permit any any ip payload alias ip-next-protocol-ipv6 alias ip-dip-decap-ip\n\u00a0\u00a0\u00a03 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\nACL to permit GUEv4 Decap Only\n\nThis MAC ACL uses UDF to match on GUE packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IP DIP = GUE Decap IP (say 0xXXXXXXXX - converted in hex)\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0(say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nmac access-list payload alias ip-next-protocol-udp offset 2 pattern 0x00110000 mask 0xff00ffff\n \nmac access-list payload alias ip-dip-decap-ip offset 4 pattern 0xXXXXXXXX mask 0x00000000\n \nmac access-list payload alias udp-dport-gue-ip offset 5 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 5 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list foo\n\u00a0\u00a0\u00a01 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-mpls\n\u00a0\u00a0\u00a02 permit any any ip payload alias ip-next-protocol-udp alias ip-dip-decap-ip alias udp-dport-gue-ip\n\u00a0\u00a0\u00a03 deny any any ip payload alias ip-dip-decap-ip\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\nACL to permit GUEv6 Decap Only\n\nThis MAC ACL uses UDF to match on GUE packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IPv6 DIP = GUE Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0 (say UDP port for IP payload = 0xYYYY or UDP port for MPLS payload = 0xZZZZ - converted in hex)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nmac access-list payload alias ipv6-next-protocol-udp offset 1 pattern 0x00001100 mask 0xffff00ff\n \nmac access-list payload alias udp-dport-gue-ip offset 10 pattern 0x0000YYYY mask 0xffff0000\n \nmac access-list payload alias udp-dport-gue-mpls offset 10 pattern 0x0000ZZZZ mask 0xffff0000\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-ip\n\u00a0\u00a0\u00a02 permit any any ipv6 payload alias ipv6-next-protocol-udp alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4 alias udp-dport-gue-mpls\n\u00a0\u00a0\u00a03 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a04 permit any any"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ACL to permit IP-in-IPv6 Decap Only\u003cp\u003eThe MAC ACL uses UDF to match on IP-in-IPv6 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IPv6 DIP = IP-in-IP Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\u003c/p\u003e\u003cp\u003eIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\u003c/p\u003e\u003cpre\u003emac access-list payload alias ipv6-next-protocol-ipv4 offset 1 pattern 0x00000400 mask 0xffff00ff\n \nmac access-list payload alias ipv6-next-protocol-ipv6 offset 1 pattern 0x00002900 mask 0xffff00ff\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit any any ipv6 payload alias ipv6-next-protocol-ipv4 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit any any ipv6 payload alias ipv6-next-protocol-ipv6 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003ch3\u003e7280R3 Series, 7500R3 Series, and 7800R3 Series\u003c/h3\u003e\u003cp\u003eMitigation involves using IPv6 PACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. This requires the following TCAM profile update with the specified packet types:\u003c/p\u003e\u003cpre\u003ehardware tcam\n\u0026nbsp;\u0026nbsp;\u0026nbsp;profile test\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;feature acl port ipv6\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 ipv4 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 ipv6 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 gue ipv4 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 gue ipv6 forwarding routed decap\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;packet ipv6 gue mpls forwarding mpls decap\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eNote that introducing new packet types might also require specifying them under other features such as \u201cacl vlan\u201d or \u201cqos ipv6\u201d. Please reach out, if further assistance is needed with TCAM profile construction.\u003c/p\u003eACL to Permit GUEv6 Only\u003cp\u003eThis IPv6 ACL matches on GUE packets as follows:\u003cbr\u003e(a) IP next protocol = UDP (0x11)\u003cbr\u003e(b) IP DIP = GUE Decap IP\u003cbr\u003e(c) UDP destination port = UDP port configured per payload\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; (IP = Y or MPLS = Z)\u003c/p\u003e\u003cp\u003eIt allows GUE packets and drops all other packets to the GUE Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit udp any host \u0026lt;decap-ip\u0026gt; eq Y\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit udp any host \u0026lt;decap-ip\u0026gt; eq Z\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003eACL to Permit IP-in-IPv6 Only\u003cp\u003eThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\u003cbr\u003e(a) IP next protocol = IPv4 (4) or IPv6 (41)\u003cbr\u003e(b) IP DIP = IP-in-IP Decap IP\u003c/p\u003e\u003cp\u003eIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\u003c/p\u003e\u003cpre\u003eipv6 access-list foo\n\u0026nbsp;\u0026nbsp;\u0026nbsp;counters per-entry\n\u0026nbsp;\u0026nbsp;\u0026nbsp;1 permit 4 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;2 permit 41 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;3 deny ipv6 any host \u0026lt;decap-ip\u0026gt;\n\u0026nbsp;\u0026nbsp;\u0026nbsp;4 permit ipv6 any any\u003c/pre\u003e"
}
],
"value": "ACL to permit IP-in-IPv6 Decap Only\n\nThe MAC ACL uses UDF to match on IP-in-IPv6 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IPv6 DIP = IP-in-IP Decap IP (say 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD - converted in hex)\n\n\n\nIt allows IP-in-ip packets and drops all other packets to the IP-in-IP Decap IP.\n\n\n\nmac access-list payload alias ipv6-next-protocol-ipv4 offset 1 pattern 0x00000400 mask 0xffff00ff\n \nmac access-list payload alias ipv6-next-protocol-ipv6 offset 1 pattern 0x00002900 mask 0xffff00ff\n \nmac access-list payload alias ipv6-dip-decap-ip1 offset 6 pattern 0xAAAAAAAA mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip2 offset 7 pattern 0xBBBBBBBB mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip3 offset 8 pattern 0xCCCCCCCC mask 0\n \nmac access-list payload alias ipv6-dip-decap-ip4 offset 9 pattern 0xDDDDDDDD mask 0\n \nmac access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit any any ipv6 payload alias ipv6-next-protocol-ipv4 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a02 permit any any ipv6 payload alias ipv6-next-protocol-ipv6 alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a03 deny any any ipv6 payload alias ipv6-dip-decap-ip1 alias ipv6-dip-decap-ip2 alias ipv6-dip-decap-ip3 alias ipv6-dip-decap-ip4\n\u00a0\u00a0\u00a04 permit any any\n\n\n\u00a0\n\n7280R3 Series, 7500R3 Series, and 7800R3 Series\n\nMitigation involves using IPv6 PACLs to allow specific expected protocol packets and block all other traffic to the configured decap IPs. This requires the following TCAM profile update with the specified packet types:\n\n\n\nhardware tcam\n\u00a0\u00a0\u00a0profile test\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0feature acl port ipv6\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 ipv4 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 ipv6 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 gue ipv4 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 gue ipv6 forwarding routed decap\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet ipv6 gue mpls forwarding mpls decap\n\n\n\u00a0\n\n\n\nNote that introducing new packet types might also require specifying them under other features such as \u201cacl vlan\u201d or \u201cqos ipv6\u201d. Please reach out, if further assistance is needed with TCAM profile construction.\n\nACL to Permit GUEv6 Only\n\nThis IPv6 ACL matches on GUE packets as follows:\n(a) IP next protocol = UDP (0x11)\n(b) IP DIP = GUE Decap IP\n(c) UDP destination port = UDP port configured per payload\n\u00a0\u00a0\u00a0\u00a0\u00a0 (IP = Y or MPLS = Z)\n\n\n\nIt allows GUE packets and drops all other packets to the GUE Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit udp any host \u003cdecap-ip\u003e eq Y\n\u00a0\u00a0\u00a02 permit udp any host \u003cdecap-ip\u003e eq Z\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any\n\n\n\u00a0\n\nACL to Permit IP-in-IPv6 Only\n\nThis IPv6 ACL matches on IP-in-IPv6 packets as follows:\n(a) IP next protocol = IPv4 (4) or IPv6 (41)\n(b) IP DIP = IP-in-IP Decap IP\n\n\n\nIt allows IP-in-IPv6 packets and drops all other packets to the IP-in-IPv6 Decap IP.\n\n\n\nipv6 access-list foo\n\u00a0\u00a0\u00a0counters per-entry\n\u00a0\u00a0\u00a01 permit 4 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a02 permit 41 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a03 deny ipv6 any host \u003cdecap-ip\u003e\n\u00a0\u00a0\u00a04 permit ipv6 any any"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2026-7473",
"datePublished": "2026-06-05T16:22:47.989Z",
"dateReserved": "2026-04-29T20:08:22.118Z",
"dateUpdated": "2026-06-05T16:22:47.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.