Christophe Pettus: pgvector 0.8.2 and the Trouble With Parallel HNSW
pgvector 0.8.2 has been released to address a critical buffer overflow vulnerability in parallel HNSW index builds. Users are advised to upgrade to this version to prevent potential data leaks or crashes. The issue arises from the complexities of shared memory management during parallel builds, which can lead to corruption across different user sessions.
- ▪pgvector 0.8.2 fixes CVE-2026-3172, a heap buffer overflow in parallel HNSW index builds.
- ▪The vulnerability can leak data from other relations or crash the database server.
- ▪Users should upgrade to pgvector 0.8.2 and check their managed provider's version to ensure they are protected.
Opening excerpt (first ~120 words) tap to expand
2026-05-22 4 min PostgreSQL pgvector 0.8.2 and the Trouble With Parallel HNSW pgvector 0.8.2 is out. It fixes CVE-2026-3172, a heap buffer overflow in parallel HNSW index builds that can leak data from other relations or crash the backend. If you run pgvector and have it pinned to a version below 0.8.2, upgrade. If you are on a managed provider, check which pgvector version they actually ship — a non-trivial number of them lag the upstream release by weeks, and “we support pgvector” does not mean “we are on the version that fixed the parallel HNSW bug.” What broke HNSW is a layered graph.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Postgr.
Discussion
0 commentsMore from Postgr
