CVE-2025-64735
Out-of-Bounds Read in Canva Affinity EMF Risks Data Exposure
Publication date: 2026-03-17
Last updated on: 2026-03-19
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canva | affinity | to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-64735 is an out-of-bounds read vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity version 3.0.1.3808.
The vulnerability occurs specifically in the handling of the EMR_STRETCHBLT record within EMF files, where a field called offBmiSrc is not properly validated against the recordSize field.
If offBmiSrc is larger than recordSize, the program reads memory outside the intended bounds, leading to an out-of-bounds read condition.
This can cause the program to access unallocated memory, potentially disclosing sensitive information from the process memory.
How can this vulnerability impact me? :
An attacker who exploits this vulnerability can cause the application to read memory outside its intended boundaries.
This out-of-bounds read can lead to the disclosure of sensitive information stored in the process memory.
The attack requires local access and user interaction but does not require privileges.
The impact is primarily on confidentiality, with no impact on integrity and low impact on availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves processing specially crafted EMF files in Canva Affinity version 3.0.1.3808, specifically targeting the EMR_STRETCHBLT record within EMF files. Detection would involve monitoring for the presence or opening of suspicious or malformed EMF files that could trigger the out-of-bounds read.
Since the vulnerability is local and requires user interaction, detection can include checking for unexpected crashes or access violations (such as code c0000005) in the Canva Affinity process when handling EMF files.
No specific commands are provided in the resources, but general approaches could include:
- Using system or application logs to identify crashes or access violations related to Canva Affinity.
- Monitoring file activity for EMF files being opened or processed by Canva Affinity.
- Using debugging or memory analysis tools to detect out-of-bounds reads or access violations during EMF file processing.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the patch released by Canva on March 17, 2026, which addresses this vulnerability in Canva Affinity version 3.0.1.3808.
Until the patch is applied, users should avoid opening or processing untrusted or suspicious EMF files with Canva Affinity to prevent exploitation.
Additionally, limiting user privileges and educating users about the risk of opening untrusted files can reduce the likelihood of exploitation.