CVE-2025-64733
Received Received - Intake
Out-of-Bounds Read in Canva Affinity EMF Risks Data Exposure

Publication date: 2026-03-17

Last updated on: 2026-03-19

Assigner: Talos

Description
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64733
EUVD
EUVD-2025-208797
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
canva affinity to 3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-64733 is an out-of-bounds read vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity, specifically in version 3.0.1.3808.'}, {'type': 'paragraph', 'content': "The vulnerability occurs due to improper validation of the 'offBmi' field within the 'EMR_CREATEDIBPATTERNBRUSHPT' record of an EMF file. When 'offBmi' is set to a value larger than the record size, the program calculates a pointer to memory outside the valid bounds."}, {'type': 'paragraph', 'content': 'This causes an out-of-bounds read, allowing the attacker to read arbitrary memory within the process, potentially exposing sensitive information.'}] [1]

Impact Analysis

Exploitation of this vulnerability allows an attacker to perform an out-of-bounds read, which can lead to the disclosure of sensitive information stored in the memory of the affected process.

The attack requires local access and user interaction but does not require privileges, making it a risk for users who open specially crafted EMF files.

The confidentiality impact is high, meaning sensitive data could be exposed, while integrity is not affected and availability impact is low.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is triggered by processing a specially crafted EMF file in Canva Affinity version 3.0.1.3808. Detection involves monitoring for crashes or access violations related to EMF file handling, specifically in the libpersona module during calls to CreateDynamicBitmapFromDib.

Since the vulnerability arises from an out-of-bounds read caused by an invalid offBmi field in EMF files, you can detect suspicious EMF files by analyzing their structure for abnormal offBmi values exceeding recordSize.

There are no specific commands provided in the resources, but general approaches include:

  • Using debugging or monitoring tools to detect access violations (exception code c0000005) in the libpersona module when loading EMF files.
  • Inspecting EMF files with custom scripts or tools to validate the offBmi field within EMR_CREATEDIBPATTERNBRUSHPT records to ensure it does not exceed recordSize.
  • Monitoring application logs or crash reports for errors related to EMF processing.
Mitigation Strategies

The vendor released a patch for this vulnerability on March 17, 2026. The immediate step to mitigate this vulnerability is to update Canva Affinity to the patched version that addresses this out-of-bounds read issue.

Until the patch is applied, avoid opening or processing untrusted or specially crafted EMF files in Canva Affinity to prevent exploitation.

Additionally, consider monitoring for crashes or unusual behavior related to EMF file handling as a temporary mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64733. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart