diff --git a/pkg/vex/vex.go b/pkg/vex/vex.go
index e9ad15233b04..827285295c6b 100644
--- a/pkg/vex/vex.go
+++ b/pkg/vex/vex.go
@@ -181,6 +181,11 @@ func reachRoot(leaf *core.Component, components map[uuid.UUID]*core.Component, p
 			return false
 		} else if c.Root {
 			return true
+		} else if len(parents[c.ID()]) == 0 {
+			// Should never reach here as all components other than the root should have at least one parent.
+			// If it does, it means the component tree is not connected due to a bug in the SBOM generation.
+			// In this case, so as not to filter out all the vulnerabilities accidentally, return true for fail-safe.
+			return true
 		}
 
 		visited[c.ID()] = true