CVE-2026-3172
Received Received - Intake

Buffer Overflow in pgvector Parallel HNSW Index Causes Data Leak

Vulnerability report for CVE-2026-3172, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: PostgreSQL

Description

Buffer overflow in parallel HNSW index build in pgvector 0.6.0 through 0.8.1 allows a database user to leak sensitive data from other relations or crash the database server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-07-06
AI Q&A
2026-02-25
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pgvector pgvector From 0.6.0 (inc) to 0.8.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-3172 is a buffer overflow vulnerability in the pgvector extension for PostgreSQL, specifically in the parallel build process of HNSW (Hierarchical Navigable Small World) indexes.

This vulnerability is caused by an integer wraparound issue that occurs when using parallel workers to create or reindex HNSW indexes.

It affects pgvector versions 0.6.0 through 0.8.1 and allows a database user with appropriate permissions to either leak sensitive data from other database relations or crash the database server.

Impact Analysis

This vulnerability can have serious impacts including unauthorized leakage of sensitive data from other database relations.

Additionally, it can cause the database server to crash, leading to denial of service and potential disruption of services relying on the database.

Because the vulnerability requires only database user permissions to create or reindex HNSW indexes, it poses a significant risk if exploited.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability affects pgvector versions 0.6.0 through 0.8.1 and allows a database user with permissions to create or reindex an HNSW index using parallel workers to leak sensitive data or crash the database server.

To mitigate this vulnerability, users running affected versions should upgrade pgvector to version 0.8.2 or later, where the issue has been resolved.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart