Description
BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed command exposes both ports (3310 and 7357) to the internet. A remote attacker can use this to send complex or large documents to clamd and waste server resources, or shutdown the clamd process. The clamd documentation explicitly warns about exposing this port. Enabling ufw (ubuntu firewall) during install does not help, because Docker routes container traffic through the nat table, which is not managed or restricted by ufw. Rules installed by ufw in the filter table have no effect on docker traffic. In addition, the provided example also mounts /var/bigbluebutton with write permissions into the container, which should not be required. Future vulnerabilities in clamd may allow attackers to manipulate files in that folder. Users are unaffected unless they have opted in to follow the extra instructions from BigBlueButton's documentation. This issue has been fixed in version 3.0.22.
Published: 2026-02-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from misconfigured documentation instructions that expose ClamAV daemon ports 3310 and 7357 to the internet. A remote attacker who can reach these exposed ports can submit exceptionally large or maliciously constructed documents to the ClamAV daemon, draining server resources or triggering a termination of the clamd process, thereby disabling document scanning and disrupting classroom sessions. The flaw is a configuration error, classified under CWE-668: Improper Control of a Resource Through an Untrusted Source.

Affected Systems

The issue affects installations of BigBlueButton version 3.0.21 and earlier that adopted the extra configuration steps described in the official Server Customization guide. Systems that did not enable the optional ClamAV integration remain unaffected. The vulnerability involves the Docker image used by BigBlueButton, where the container exposes the ClamAV daemon ports to the external network and mounts the host’s /var/bigbluebutton directory with write access inside the container, potentially allowing future exploitation of clamd files.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity of denial‑of‑service impact. The EPSS score is below 1 %, suggesting the probability of exploitation is low but not zero. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires network reachability to the compromised ports, which by design are reachable from the public internet in the affected configuration. Given the simplicity of connecting to a TCP port and sending data, attackers can repeatedly trigger service degradation without needing privileged credentials.

Generated by OpenCVE AI on April 17, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BigBlueButton to version 3.0.22 or later, where the defect is resolved.
  • Configure firewall rules to block external access to ClamAV ports 3310 and 7357, ensuring that Docker’s NAT table is controlled or that container port publishing is disabled.
  • Remove the unnecessary write permission on /var/bigbluebutton in the Docker volume mount or restrict the mount to read‑only to minimize the attack surface.

Generated by OpenCVE AI on April 17, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*

Wed, 25 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Bigbluebutton
Bigbluebutton bigbluebutton
Vendors & Products Bigbluebutton
Bigbluebutton bigbluebutton

Sat, 21 Feb 2026 07:30:00 +0000

Type Values Removed Values Added
Description BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed command exposes both ports (3310 and 7357) to the internet. A remote attacker can use this to send complex or large documents to clamd and waste server resources, or shutdown the clamd process. The clamd documentation explicitly warns about exposing this port. Enabling ufw (ubuntu firewall) during install does not help, because Docker routes container traffic through the nat table, which is not managed or restricted by ufw. Rules installed by ufw in the filter table have no effect on docker traffic. In addition, the provided example also mounts /var/bigbluebutton with write permissions into the container, which should not be required. Future vulnerabilities in clamd may allow attackers to manipulate files in that folder. Users are unaffected unless they have opted in to follow the extra instructions from BigBlueButton's documentation. This issue has been fixed in version 3.0.22.
Title BigBlueButton: Exposed ClamAV port enables Denial of Service
Weaknesses CWE-668
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L'}

Subscriptions

Bigbluebutton Bigbluebutton
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:48:15.788Z

Reserved: 2026-02-19T17:25:31.101Z

Link: CVE-2026-27466

cve-icon Vulnrichment

Updated: 2026-02-24T18:48:08.252Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T08:16:11.647

Modified: 2026-02-26T18:59:18.317

Link: CVE-2026-27466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses