CVE-2026-3172
📋 TL;DR
A buffer overflow vulnerability in the parallel HNSW index build functionality of pgvector allows authenticated database users to read sensitive data from other database relations or cause denial of service by crashing the PostgreSQL server. This affects any system running pgvector extension versions 0.6.0 through 0.8.1 within PostgreSQL.
💻 Affected Systems
- pgvector
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could exfiltrate sensitive data from other database tables, potentially including credentials, personal information, or proprietary data, while also crashing the database server causing extended downtime.
Likely Case
An authenticated user with index creation privileges could crash the database server during HNSW index creation, causing temporary service disruption and potential data corruption.
If Mitigated
With proper access controls limiting index creation to trusted users only, the attack surface is reduced to authorized personnel, though insider threat remains possible.
🎯 Exploit Status
Exploitation requires database authentication and CREATE INDEX privileges. The buffer overflow occurs during specific index building operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.2
Vendor Advisory: https://github.com/pgvector/pgvector/issues/959
Restart Required: Yes
Instructions:
1. Stop PostgreSQL service. 2. Update pgvector extension to version 0.8.2 or later using your package manager or from source. 3. Restart PostgreSQL service. 4. Verify the updated version is active.
🔧 Temporary Workarounds
Disable parallel index creation
allPrevent use of parallel HNSW index building which triggers the vulnerability
ALTER SYSTEM SET max_parallel_workers = 0;
SELECT pg_reload_conf();
Restrict index creation privileges
allLimit CREATE INDEX permissions to only essential database users
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
GRANT CREATE ON SCHEMA public TO trusted_users_only;
🧯 If You Can't Patch
- Implement strict access controls to limit index creation to essential administrative users only
- Monitor database logs for HNSW index creation attempts and investigate suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check pgvector version in PostgreSQL: SELECT * FROM pg_available_extensions WHERE name = 'vector';Check Version:
SELECT * FROM pg_available_extensions WHERE name = 'vector';Verify Fix Applied:
Confirm pgvector version is 0.8.2 or later: SELECT * FROM pg_available_extensions WHERE name = 'vector';📡 Detection & Monitoring
Log Indicators:
- PostgreSQL crash logs
- Error messages related to HNSW index creation
- Unexpected parallel worker failures
Network Indicators:
- Unusual database connection patterns from non-admin users
- Spikes in failed index creation requests
SIEM Query:
source="postgresql.log" AND ("HNSW" OR "parallel index" OR "buffer overflow")