Description
Buffer overflow in parallel HNSW index build in pgvector 0.6.0 through 0.8.1 allows a database user to leak sensitive data from other relations or crash the database server.
Published: 2026-02-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data leakage and denial of service
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a buffer overflow that occurs during the parallel construction of an HNSW index in the pgvector extension, allowing a database user to read memory from other database relations or to cause the Postgres process to crash. The weakness involves a classic memory overrun (CWE‑120) combined with signed integer overflows and signed/unsigned mismatches (CWE‑190, CWE‑191) and a use‑after‑free scenario (CWE‑787).

Affected Systems

It affects any pgvector installation from version 0.6.0 through 0.8.1, meaning any PostgreSQL database that has the pgvector extension installed and permits users to build or rebuild HNSW indexes in parallel will be vulnerable.

Risk and Exploitability

The CVSS score of 8.1 signifies high severity, while the EPSS probability is less than 1% and the vulnerability is not listed in CISA's KEV catalog. It is inferred that the attack vector is local, requiring a database user with the privilege to initiate parallel index builds. Exploitation could enable an attacker to read confidential data from other tables or cause a database crash, potentially leading to a denial of service.

Generated by OpenCVE AI on April 18, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pgvector to a version newer than 0.8.1 to apply the buffer‑overflow fix.
  • If an upgrade cannot be performed immediately, configure ‘max_parallel_workers_per_gather’ to 0 or otherwise prevent parallel execution when building HNSW indexes, forcing serial builds.
  • Limit the role set that has permission to create or rebuild pgvector HNSW indexes to trusted users only.

Generated by OpenCVE AI on April 18, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-190
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 26 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Pgvector
Pgvector pgvector
Vendors & Products Pgvector
Pgvector pgvector

Wed, 25 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description Buffer overflow in parallel HNSW index build in pgvector 0.6.0 through 0.8.1 allows a database user to leak sensitive data from other relations or crash the database server.
Title pgvector buffer overflow in parallel HNSW index build
Weaknesses CWE-191
CWE-787
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Pgvector Pgvector
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-02-26T15:04:08.481Z

Reserved: 2026-02-24T22:42:24.733Z

Link: CVE-2026-3172

cve-icon Vulnrichment

Updated: 2026-02-26T15:03:39.831Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T21:16:44.857

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-3172

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T20:59:10Z

Links: CVE-2026-3172 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses