{"id":"PYSEC-2026-1938","summary":"Heap-based Buffer Overflow in sqlite-vec","details":"sqlite-vec v0.1.1 was discovered to contain a heap buffer overflow via the npy_token_next function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.","aliases":["CVE-2024-46488","GHSA-vrcx-gx3g-j3h8"],"modified":"2026-07-07T17:47:58.805145008Z","published":"2026-07-07T14:34:42.450519Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46488"},{"type":"WEB","url":"https://github.com/VulnSphere/LLMVulnSphere/blob/main/VectorDB/sqlite-vec/OOBR_2.md"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-vrcx-gx3g-j3h8"},{"type":"PACKAGE","url":"https://github.com/asg017/sqlite-vec"},{"type":"WEB","url":"https://github.com/asg017/sqlite-vec/releases/tag/v0.1.3"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sqlite-vec/CVE-2024-46488.yml"},{"type":"PACKAGE","url":"https://pypi.org/project/sqlite-vec"}],"affected":[{"package":{"name":"sqlite-vec","ecosystem":"PyPI","purl":"pkg:pypi/sqlite-vec"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.1.3"}]}],"versions":["0.0.1a10","0.0.1a12","0.0.1a13","0.0.1a14","0.0.1a16","0.0.1a17","0.0.1a18","0.0.1a19","0.0.1a20","0.0.1a21","0.0.1a22","0.0.1a23","0.0.1a24","0.0.1a25","0.0.1a26","0.0.1a27","0.0.1a28","0.0.1a29","0.0.1a3","0.0.1a30","0.0.1a31","0.0.1a32","0.0.1a33","0.0.1a34","0.0.1a35","0.0.1a36","0.0.1a37","0.0.1a7","0.0.1a8","0.0.1a9","0.1.0","0.1.0a1","0.1.1","0.1.1a2","0.1.1a3","0.1.2","0.1.2a1","0.1.2a10","0.1.2a2","0.1.2a4","0.1.2a5","0.1.2a6","0.1.2a7","0.1.2a9","0.1.3a1","0.1.3a2","0.1.3a3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/sqlite-vec/PYSEC-2026-1938.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N"}]}