CVE-2026-3172
Received Received - Intake
Buffer Overflow in pgvector Parallel HNSW Index Causes Data Leak

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: PostgreSQL

Description
Buffer overflow in parallel HNSW index build in pgvector 0.6.0 through 0.8.1 allows a database user to leak sensitive data from other relations or crash the database server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3172
EUVD
EUVD-2026-8743
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pgvector pgvector From 0.6.0 (inc) to 0.8.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3172 is a buffer overflow vulnerability in the pgvector extension for PostgreSQL, specifically in the parallel build process of HNSW (Hierarchical Navigable Small World) indexes.

This vulnerability is caused by an integer wraparound issue that occurs when using parallel workers to create or reindex HNSW indexes.

It affects pgvector versions 0.6.0 through 0.8.1 and allows a database user with appropriate permissions to either leak sensitive data from other database relations or crash the database server.

Impact Analysis

This vulnerability can have serious impacts including unauthorized leakage of sensitive data from other database relations.

Additionally, it can cause the database server to crash, leading to denial of service and potential disruption of services relying on the database.

Because the vulnerability requires only database user permissions to create or reindex HNSW indexes, it poses a significant risk if exploited.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability affects pgvector versions 0.6.0 through 0.8.1 and allows a database user with permissions to create or reindex an HNSW index using parallel workers to leak sensitive data or crash the database server.

To mitigate this vulnerability, users running affected versions should upgrade pgvector to version 0.8.2 or later, where the issue has been resolved.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart