CVE-2026-3172 - pgvector buffer overflow in parallel HNSW index build

Suggest edits

First Published: 2026/03/10

Important: This assessment evaluates the impact of CVE-2026-3172 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

Summary

A buffer overflow in the parallel HNSW (Hierarchical Navigable Small World) index build process in the pgvector extension allows an authenticated database user to issue crafted queries that achieve a buffer overrun. This can lead to the leaking of sensitive data from other relations or a crash of the database server. The vulnerability is specifically triggered during concurrent index construction when multiple worker processes are utilized.

Vulnerability details

CVE-ID: CVE-2026-3172

CVE Publish Date: 2026-02-25

CVSS Base Score: 8.1

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Affected products and versions

EDB Cloud and Managed Services

  • EDB Postgres Extended Server
  • EDB Postgres Advanced Server
  • EDB Cloud Service (formerly BigAnimal)
  • Hybrid Manager (HM)
  • EDB Postgres® AI for CloudNativePG™ (All community and EDB Postgres® AI for CloudNativePG™ versions)
  • WarehousePG

Affected Extensions

  • pgvector: All versions from 0.6.0 through 0.8.1
  • aidb
  • pgpu

Remediation/fixes

Remediation for this CVE requires updating the extension version within the database. Updating the underlying EDB product version alone may not apply the fix to existing databases.

pgvector Extension

Affected VersionFixed InFix Published
0.6.0 to 0.8.10.8.22026-02-25

aidb Extension

Affected VersionFixed InFix Published
All prior to Feb 2026Updated with 0.8.2 dependency2026-02-25

pgpu Extension

Affected VersionFixed InFix Published
All prior to Feb 2026Updated with 0.8.2 dependency2026-02-25

References

Related information

Could this page be better? Report a problem or suggest an addition!