Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN198 _____________________________________________________________________ DATE : 20/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running clamav (bigbluebutton) versions prior to 3.0.22. ===================================================================== https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wmhx-qw2p-w6gc _____________________________________________________________________ Exposed ClamAV port allowing denial of service High antobinary published GHSA-wmhx-qw2p-w6gc Feb 20, 2026 Package clamav (bigbluebutton) Affected versions <=3.0.21 Patched versions >3.0.22 Description Summary This advisory is about the optional configuration of ClamAV on a BigBlueButton server. Unless you opted in to follow the extra instructions from BigBlueButton's documentation, this is not relevant to you. The official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for denial of service. Details The example on how to run ClamAV on the BBB server currently looks like this: docker pull clamav/clamav` docker run --name "clamav" --mount type=bind,source=/var/bigbluebutton,target=/var/bigbluebutton -p 3310:3310 -p 7357:7357 clamav/clamav:latest This command exposes both ports (3310 and 7357) to the internet. A remote attacker can use this to send complex or large documents to clamd and waste server resources, or shutdown the clamd process. The clamd documentation explicitly warns about exposing this port. Enabling ufw (ubuntu firewall) during install does not help, because Docker routes container traffic through the nat table, which is not managed or restricted by ufw. Rules installed by ufw in the filter table have no effect on docker traffic. In addition, the provided example also mounts /var/bigbluebutton with write permissions into the container, which should not be required. Future vulnerabilities in clamd may allow attackers to manipulate files in that folder. PoC echo "SHUTDOWN" | netcat bbb.example.com 3310 Mitigation The clamav container should only bind to localhost and not to 0.0.0.0 (default). The 7357 port is not used and should be removed completely. The volume should be mounted read-only. Or not at all. clamd has an INSTREAM command that scans a data stream instead of a local file. The container should not run as root but instead use the /init-unprivileged entrypoint. The container should be CPU and memory constrained. The container should automatically restart after a reboot or crash. Example (untested): docker run --name "clamav" -d \ --volume /var/bigbluebutton:/var/bigbluebutton:ro \ --publish 127.0.0.1:3310:3310 \ --user "clamav" \ --entrypoint "/init-unprivileged" \ --memory 4G \ --cpus 1 \ --restart unless-stopped \ clamav/clamav:latest Impact BBB Servers enabling support for ClamAV according to the official documentation are vulnerable to denial of service, and potentially future RCE vulnerabilities in clamd. Patches BigBlueButton 3.0: 3.0.22 via f3d33d9 The documentation was updated on Feb 6, 2026. If you followed the optional ClamAV instructions from BigBlueButton's documentation prior to that date, please remove ClamAV and add again using the updated instructions. You don't need to be on the specific version of BigBlueButton to be safe, this is just the version where the docs changes were made. Severity High 7.2/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Changed Confidentiality Low Integrity None Availability Low CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L CVE ID CVE-2026-27466 Weaknesses No CWEs Credits @defnull defnull Reporter @samuelwei samuelwei Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================