CVE-2026-27466
Received Received - Intake
Denial of Service via ClamAV Misconfiguration in BigBlueButton

Publication date: 2026-02-21

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed command exposes both ports (3310 and 7357) to the internet. A remote attacker can use this to send complex or large documents to clamd and waste server resources, or shutdown the clamd process. The clamd documentation explicitly warns about exposing this port. Enabling ufw (ubuntu firewall) during install does not help, because Docker routes container traffic through the nat table, which is not managed or restricted by ufw. Rules installed by ufw in the filter table have no effect on docker traffic. In addition, the provided example also mounts /var/bigbluebutton with write permissions into the container, which should not be required. Future vulnerabilities in clamd may allow attackers to manipulate files in that folder. Users are unaffected unless they have opted in to follow the extra instructions from BigBlueButton's documentation. This issue has been fixed in version 3.0.22.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2026-02-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27466
EUVD
EUVD-2026-7723
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bigbluebutton bigbluebutton to 3.0.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-27466 is a denial of service vulnerability in BigBlueButton (BBB) versions 3.0.21 and below, related to the optional ClamAV configuration for scanning presentation files. The official BBB documentation provided instructions that expose ClamAV's ports 3310 and 7357 to the internet, allowing remote attackers to send complex or large documents to the clamd daemon. This can exhaust server resources or cause the clamd process to shut down."}, {'type': 'paragraph', 'content': "The vulnerability is worsened because enabling Ubuntu's UFW firewall does not restrict Docker container traffic due to Docker's use of the NAT table, which UFW does not manage. Additionally, the example mounts the /var/bigbluebutton directory with write permissions inside the container, which is unnecessary and could allow future vulnerabilities to manipulate files in that directory."}, {'type': 'paragraph', 'content': 'This issue was fixed in BBB version 3.0.22 by updating the ClamAV Docker configuration to restrict network exposure, reduce privileges, and apply resource constraints.'}] [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing a remote attacker to cause a denial of service on your BigBlueButton server if you have enabled ClamAV support following the vulnerable documentation. Attackers can send large or complex files to the clamd service, exhausting server resources or shutting down the clamd process, which may disrupt file scanning functionality.

Because the exposed ports are accessible over the internet, the attack can be performed remotely without any privileges or user interaction, making it a network-based, low-complexity attack.

Furthermore, the writable mount of /var/bigbluebutton inside the container could allow future vulnerabilities to manipulate files in that directory, potentially leading to more severe impacts such as remote code execution.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the ClamAV daemon (clamd) ports 3310 and 7357 are exposed to the internet on your BigBlueButton server. Specifically, if these ports are accessible from outside your local network, your server may be vulnerable.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending the "SHUTDOWN" command to port 3310 using netcat, which can terminate the clamd process if the vulnerability is present.'}, {'type': 'list_item', 'content': 'Use netcat to test port 3310: `echo "SHUTDOWN" | nc <server-ip> 3310`'}, {'type': 'list_item', 'content': 'Scan your network to see if ports 3310 and 7357 are open and reachable from outside using tools like nmap: `nmap -p 3310,7357 <server-ip>`'}, {'type': 'list_item', 'content': 'Check Docker container port bindings to see if ports 3310 and 7357 are published on all interfaces (0.0.0.0) instead of localhost (127.0.0.1).'}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include reconfiguring the ClamAV Docker container to reduce exposure and resource risks as follows:

  • Bind the ClamAV container port 3310 only to localhost (127.0.0.1) instead of all network interfaces (0.0.0.0).
  • Remove exposure of port 7357 entirely.
  • Mount the /var/bigbluebutton directory as read-only inside the container or avoid mounting it if not necessary.
  • Run the ClamAV container as a non-root user using the /init-unprivileged entrypoint.
  • Apply CPU and memory constraints to the container to limit resource exhaustion.
  • Configure the container to automatically restart after crashes or reboots.

Additionally, users should upgrade to BigBlueButton version 3.0.22 or later, which includes fixed documentation and safer default configurations for ClamAV.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart