CVE-2025-64733
Out-of-Bounds Read in Canva Affinity EMF Risks Data Exposure
Publication date: 2026-03-17
Last updated on: 2026-03-19
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canva | affinity | to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-64733 is an out-of-bounds read vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity, specifically in version 3.0.1.3808.'}, {'type': 'paragraph', 'content': "The vulnerability occurs due to improper validation of the 'offBmi' field within the 'EMR_CREATEDIBPATTERNBRUSHPT' record of an EMF file. When 'offBmi' is set to a value larger than the record size, the program calculates a pointer to memory outside the valid bounds."}, {'type': 'paragraph', 'content': 'This causes an out-of-bounds read, allowing the attacker to read arbitrary memory within the process, potentially exposing sensitive information.'}] [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker to perform an out-of-bounds read, which can lead to the disclosure of sensitive information stored in the memory of the affected process.
The attack requires local access and user interaction but does not require privileges, making it a risk for users who open specially crafted EMF files.
The confidentiality impact is high, meaning sensitive data could be exposed, while integrity is not affected and availability impact is low.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered by processing a specially crafted EMF file in Canva Affinity version 3.0.1.3808. Detection involves monitoring for crashes or access violations related to EMF file handling, specifically in the libpersona module during calls to CreateDynamicBitmapFromDib.
Since the vulnerability arises from an out-of-bounds read caused by an invalid offBmi field in EMF files, you can detect suspicious EMF files by analyzing their structure for abnormal offBmi values exceeding recordSize.
There are no specific commands provided in the resources, but general approaches include:
- Using debugging or monitoring tools to detect access violations (exception code c0000005) in the libpersona module when loading EMF files.
- Inspecting EMF files with custom scripts or tools to validate the offBmi field within EMR_CREATEDIBPATTERNBRUSHPT records to ensure it does not exceed recordSize.
- Monitoring application logs or crash reports for errors related to EMF processing.
What immediate steps should I take to mitigate this vulnerability?
The vendor released a patch for this vulnerability on March 17, 2026. The immediate step to mitigate this vulnerability is to update Canva Affinity to the patched version that addresses this out-of-bounds read issue.
Until the patch is applied, avoid opening or processing untrusted or specially crafted EMF files in Canva Affinity to prevent exploitation.
Additionally, consider monitoring for crashes or unusual behavior related to EMF file handling as a temporary mitigation.