CVE-2026-3172
Buffer Overflow in pgvector Parallel HNSW Index Causes Data Leak
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: PostgreSQL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pgvector | pgvector | From 0.6.0 (inc) to 0.8.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3172 is a buffer overflow vulnerability in the pgvector extension for PostgreSQL, specifically in the parallel build process of HNSW (Hierarchical Navigable Small World) indexes.
This vulnerability is caused by an integer wraparound issue that occurs when using parallel workers to create or reindex HNSW indexes.
It affects pgvector versions 0.6.0 through 0.8.1 and allows a database user with appropriate permissions to either leak sensitive data from other database relations or crash the database server.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized leakage of sensitive data from other database relations.
Additionally, it can cause the database server to crash, leading to denial of service and potential disruption of services relying on the database.
Because the vulnerability requires only database user permissions to create or reindex HNSW indexes, it poses a significant risk if exploited.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects pgvector versions 0.6.0 through 0.8.1 and allows a database user with permissions to create or reindex an HNSW index using parallel workers to leak sensitive data or crash the database server.
To mitigate this vulnerability, users running affected versions should upgrade pgvector to version 0.8.2 or later, where the issue has been resolved.