Cyber Resilience

CVE-2026-27466

HighPublic PoC

Published: 21 February 2026

Published
21 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
EPSS Score 0.0040 31.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27466 is a high-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Bigbluebutton Bigbluebutton. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Service Exhaustion Flood (T1499.002); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-27466 affects BigBlueButton, an open-source virtual classroom platform, specifically versions 3.0.21 and below. The vulnerability stems from instructions in the official "Server Customization" documentation for enabling ClamAV as a presentation file scanner. These instructions configure a flawed command that exposes ClamAV daemon (clamd) ports 3310 and 7357 to the internet, enabling denial-of-service attacks. Additionally, the setup mounts the /var/bigbluebutton directory with write permissions into the Docker container, potentially exposing it to future clamd vulnerabilities. Users are unaffected unless they explicitly followed these optional documentation steps.

A remote attacker with network access can exploit this by sending complex or large documents to the exposed clamd ports, wasting server resources or shutting down the clamd process entirely. The CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L) reflects high severity due to low attack complexity, no required privileges or user interaction, and changed scope impacting availability with low confidentiality impact. Enabling UFW during installation provides no protection, as Docker routes container traffic through the NAT table, bypassing UFW rules in the filter table.

The issue has been addressed in BigBlueButton version 3.0.22. The GitHub security advisory (GHSA-wmhx-qw2p-w6gc) and associated commit (f3d33d94a9682e87c7d41f55700b19d61e1ab8b4) detail the fix, emphasizing that administrators should upgrade and avoid following the vulnerable documentation instructions. The clamd documentation itself warns against exposing these ports to untrusted networks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed command…

more

exposes both ports (3310 and 7357) to the internet. A remote attacker can use this to send complex or large documents to clamd and waste server resources, or shutdown the clamd process. The clamd documentation explicitly warns about exposing this port. Enabling ufw (ubuntu firewall) during install does not help, because Docker routes container traffic through the nat table, which is not managed or restricted by ufw. Rules installed by ufw in the filter table have no effect on docker traffic. In addition, the provided example also mounts /var/bigbluebutton with write permissions into the container, which should not be required. Future vulnerabilities in clamd may allow attackers to manipulate files in that folder. Users are unaffected unless they have opted in to follow the extra instructions from BigBlueButton's documentation. This issue has been fixed in version 3.0.22.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.002 Service Exhaustion Flood Impact
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
Why these techniques?

The vulnerability exposes ClamAV daemon ports to the internet, enabling remote attackers to send complex or large documents to exhaust server resources or shut down the clamd service, directly mapping to Service Exhaustion Flood.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2857Shared CWE-668
CVE-2026-30912Shared CWE-668
CVE-2024-57838Shared CWE-668
CVE-2026-34765Shared CWE-668
CVE-2026-20160Shared CWE-668
CVE-2026-44008Shared CWE-668
CVE-2026-33573Shared CWE-668
CVE-2026-39911Shared CWE-668
CVE-2022-49509Shared CWE-668
CVE-2024-13484Shared CWE-668

Affected Assets

bigbluebutton
bigbluebutton
≤ 3.0.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Boundary protection enforces firewall rules and network segmentation to block internet access to clamd ports 3310 and 7357, even through Docker NAT tables, preventing remote DoS attacks.

prevent

Least functionality prohibits unnecessary exposure of clamd service to the internet and restricts write permissions on Docker volume mounts like /var/bigbluebutton, avoiding the flawed documentation configuration.

prevent

Denial-of-service protection implements rate limiting and resource safeguards against attacks sending complex or large documents to clamd, mitigating resource exhaustion and process shutdown.

References