CVE-2025-47873
Out-of-Bounds Read in Canva Affinity EMF Risks Data Leak
Publication date: 2026-03-17
Last updated on: 2026-03-19
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canva | affinity | to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-47873 is an out-of-bounds read vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity, specifically in version 3.0.1.3808.
The issue arises from improper handling of the EMR_POLYBEZIER16 record type within EMF files. This record defines one or more Bezier curves and includes a Count field specifying the number of PointS objects in an array.
When the Count value is excessively large, the application calculates a size that exceeds the allocated memory for the array and reads beyond its bounds. This out-of-bounds read can cause the application to access arbitrary memory, potentially exposing sensitive information.
How can this vulnerability impact me? :
Exploiting this vulnerability allows an attacker to perform an out-of-bounds read, which can lead to the disclosure of arbitrary memory contents.
This means sensitive information stored in memory could be exposed to an attacker.
The vulnerability requires local access and user interaction, but no special privileges are needed.
The impact on confidentiality is high, while integrity is not affected and availability impact is low.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves processing specially crafted EMF files that exploit an out-of-bounds read in the EMR_POLYBEZIER16 record type within Canva Affinity version 3.0.1.3808.
Detection can focus on identifying suspicious or malformed EMF files with an unusually large Count field in the EMR_POLYBEZIER16 record that exceeds the expected recordSize.
On the system, monitoring application crashes or access violations (such as code c0000005) related to Canva Affinity when opening EMF files can indicate exploitation attempts.
- Use file inspection tools or scripts to parse EMF files and verify the Count field in EMR_POLYBEZIER16 records does not exceed the recordSize boundary.
- Monitor system logs for application errors or crashes triggered by Canva Affinity when processing EMF files.
- Example command to check EMF files (requires custom script or tool): parse EMF headers and validate Count against recordSize in EMR_POLYBEZIER16 records.
What immediate steps should I take to mitigate this vulnerability?
The vendor has released a patch for this vulnerability on March 17, 2026.
- Immediately update Canva Affinity to the patched version that addresses this out-of-bounds read vulnerability.
- Avoid opening untrusted or suspicious EMF files, especially those received from unknown sources.
- Implement monitoring for application crashes or unusual behavior related to EMF file processing.
- Consider restricting user permissions or sandboxing Canva Affinity to limit the impact of potential exploitation.