CVE-2026-27466
Published: 21 February 2026
Description
BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed command…
more
exposes both ports (3310 and 7357) to the internet. A remote attacker can use this to send complex or large documents to clamd and waste server resources, or shutdown the clamd process. The clamd documentation explicitly warns about exposing this port. Enabling ufw (ubuntu firewall) during install does not help, because Docker routes container traffic through the nat table, which is not managed or restricted by ufw. Rules installed by ufw in the filter table have no effect on docker traffic. In addition, the provided example also mounts /var/bigbluebutton with write permissions into the container, which should not be required. Future vulnerabilities in clamd may allow attackers to manipulate files in that folder. Users are unaffected unless they have opted in to follow the extra instructions from BigBlueButton's documentation. This issue has been fixed in version 3.0.22.
Mitigating Controls (NIST 800-53 r5)AI
Boundary protection enforces firewall rules and network segmentation to block internet access to clamd ports 3310 and 7357, even through Docker NAT tables, preventing remote DoS attacks.
Least functionality prohibits unnecessary exposure of clamd service to the internet and restricts write permissions on Docker volume mounts like /var/bigbluebutton, avoiding the flawed documentation configuration.
Denial-of-service protection implements rate limiting and resource safeguards against attacks sending complex or large documents to clamd, mitigating resource exhaustion and process shutdown.
Security SummaryAI
CVE-2026-27466 affects BigBlueButton, an open-source virtual classroom platform, specifically versions 3.0.21 and below. The vulnerability stems from instructions in the official "Server Customization" documentation for enabling ClamAV as a presentation file scanner. These instructions configure a flawed command that exposes ClamAV daemon (clamd) ports 3310 and 7357 to the internet, enabling denial-of-service attacks. Additionally, the setup mounts the /var/bigbluebutton directory with write permissions into the Docker container, potentially exposing it to future clamd vulnerabilities. Users are unaffected unless they explicitly followed these optional documentation steps.
A remote attacker with network access can exploit this by sending complex or large documents to the exposed clamd ports, wasting server resources or shutting down the clamd process entirely. The CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L) reflects high severity due to low attack complexity, no required privileges or user interaction, and changed scope impacting availability with low confidentiality impact. Enabling UFW during installation provides no protection, as Docker routes container traffic through the NAT table, bypassing UFW rules in the filter table.
The issue has been addressed in BigBlueButton version 3.0.22. The GitHub security advisory (GHSA-wmhx-qw2p-w6gc) and associated commit (f3d33d94a9682e87c7d41f55700b19d61e1ab8b4) detail the fix, emphasizing that administrators should upgrade and avoid following the vulnerable documentation instructions. The clamd documentation itself warns against exposing these ports to untrusted networks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes ClamAV daemon ports to the internet, enabling remote attackers to send complex or large documents to exhaust server resources or shut down the clamd service, directly mapping to Service Exhaustion Flood.