README.md

SEGV in faiss (id:000281,sig:11,src:000857,time:39901240,execs:567662,op:havoc,rep:3)

Severity: medium CWE: CWE-119 Target: faiss Generated: 2026-02-19

Summary

SEGV in faiss (id:000281,sig:11,src:000857,time:39901240,execs:567662,op:havoc,rep:3). See ASAN output below for details.

Reproduction

chmod +x reproduce.sh
./reproduce.sh

Or manually:

cmake -B build-asan -DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer" -DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer" -DFAISS_ENABLE_GPU=OFF && cmake --build build-asan -j$(nproc)
ASAN_OPTIONS=detect_leaks=0 ./build-asan/fuzz_read_index ../poc.faiss

PoC File

• poc.faiss (507 bytes)

ASAN Output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2425791==ERROR: AddressSanitizer: SEGV on unknown address 0x505e800000a0 (pc 0x5ffc37d5419a bp 0x7ffd1b625ab0 sp 0x7ffd1b625a10 T0)
==2425791==The signal is caused by a READ memory access.
    #0 0x5ffc37d5419a in faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>::reconstruct_component(unsigned char const*, unsigned long) const /home/lab/huntr/targets/faiss/faiss/impl/scalar_quantizer/quantizers.h:169:24
    #1 0x5ffc37d5419a in faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>::compute_distance(float const*, unsigned char const*) const /home/lab/huntr/targets/faiss/faiss/impl/scalar_quantizer/distance_computers.h:40:30
    #2 0x5ffc37d5419a in faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>::query_to_code(unsigned char const*) const /home/lab/huntr/targets/faiss/faiss/impl/scalar_quantizer/distance_computers.h:68:16
    #3 0x5ffc37d5419a in faiss::(anonymous namespace)::IVFSQScannerIP<faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>>::distance_to_code(unsigned char const*) const /home/lab/huntr/targets/faiss/faiss/impl/ScalarQuantizer.cpp:433:27
    #4 0x5ffc37d5419a in unsigned long faiss::(anonymous namespace)::run_scan_codes1<faiss::(anonymous namespace)::IVFSQScannerIP<faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>>, faiss::CMin<float, long>, false, false>(faiss::(anonymous namespace)::IVFSQScannerIP<faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>> const&, unsigned long, unsigned char const*, long const*, faiss::ResultHandlerUnordered<float, long>&) /home/lab/huntr/targets/faiss/faiss/impl/expanded_scanners.h:48:29
    #5 0x5ffc37d5419a in unsigned long faiss::(anonymous namespace)::run_scan_codes_fix_C<faiss::CMin<float, long>, faiss::(anonymous namespace)::IVFSQScannerIP<faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>>>(faiss::(anonymous namespace)::IVFSQScanne

Impact

Memory corruption vulnerability reachable by processing a malformed faiss file. An attacker could craft a malicious file and distribute it to cause denial of service or potentially leak sensitive heap data.