CVE-2026-27466 in BigBlueButton
Summary
by MITRE • 02/21/2026
BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed command exposes both ports (3310 and 7357) to the internet. A remote attacker can use this to send complex or large documents to clamd and waste server resources, or shutdown the clamd process. The clamd documentation explicitly warns about exposing this port. Enabling ufw (ubuntu firewall) during install does not help, because Docker routes container traffic through the nat table, which is not managed or restricted by ufw. Rules installed by ufw in the filter table have no effect on docker traffic. In addition, the provided example also mounts /var/bigbluebutton with write permissions into the container, which should not be required. Future vulnerabilities in clamd may allow attackers to manipulate files in that folder. Users are unaffected unless they have opted in to follow the extra instructions from BigBlueButton's documentation. This issue has been fixed in version 3.0.22.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/27/2026
CVE-2026-27466 represents a critical denial of service vulnerability affecting BigBlueButton versions 3.0.21 and earlier, where the official documentation for ClamAV presentation file scanning contains dangerous configuration instructions. The vulnerability stems from improper network exposure of ClamAV's daemon service, specifically ports 3310 and 7357, which are explicitly warned against by ClamAV documentation for public internet exposure. This flaw creates a direct pathway for remote attackers to consume excessive server resources through submission of complex documents to clamd or to terminate the clamd process entirely, fundamentally compromising system availability and service integrity.
The technical implementation flaw occurs when administrators follow the documented server customization steps, which inadvertently expose critical service ports without proper network segmentation or access controls. The vulnerability is exacerbated by Docker container networking behavior where ufw firewall rules in the filter table do not affect container traffic routing through the nat table, rendering standard firewall protections ineffective. This architectural limitation means that even when administrators enable Ubuntu's default firewall during installation, the containerized ClamAV service remains accessible from external networks. The security implications extend beyond immediate denial of service, as the documentation also recommends mounting /var/bigbluebutton with write permissions into the container, creating potential attack vectors for future exploitation.
The operational impact of this vulnerability is severe for organizations relying on BigBlueButton's presentation scanning capabilities, as it transforms a legitimate security feature into a potential attack surface. Remote attackers can leverage this exposure to exhaust server resources through resource-intensive document processing, effectively creating a denial of service condition that impacts all users of the virtual classroom platform. The combination of exposed ports and overly permissive file system mounts creates a multi-layered attack surface where the initial denial of service can potentially escalate to file system manipulation or persistence mechanisms. This vulnerability directly maps to CWE-284 (Improper Access Control) and CWE-400 (Uncontrolled Resource Consumption) while aligning with ATT&CK techniques such as T1499.004 (Endpoint Denial of Service) and T1071.004 (Application Layer Protocol: DNS) for resource exhaustion attacks.
Mitigation strategies should immediately involve upgrading to BigBlueButton version 3.0.22, which addresses the vulnerability through corrected documentation and configuration practices. Administrators must ensure that ClamAV service ports are properly restricted to internal networks only, implementing network segmentation through proper firewall rules or container networking configurations. The recommended approach involves removing the dangerous documentation instructions that expose ports to the internet and implementing proper access controls using iptables rules or Docker network configurations that prevent external access to ClamAV ports. Additionally, the file system mount permissions should be reviewed and restricted to only necessary access levels, eliminating unnecessary write permissions to /var/bigbluebutton within the container context to prevent potential future exploitation vectors.