Executive Summary

CVE-2025-66000 is an out-of-bounds read vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity version 3.0.1.3808.

The flaw occurs specifically in handling the EMR_POLYDRAW record type within EMF files, where the Count field is not properly validated.

If the Count value is set maliciously large, the program reads beyond the allocated memory bounds when accessing arrays of points and types, leading to an out-of-bounds read.

This can cause the application to read arbitrary memory within the Affinity process, potentially leaking sensitive information.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability allows an attacker to perform an out-of-bounds read, which can lead to the disclosure of sensitive information from the memory of the Affinity process.

Because the vulnerability has a high confidentiality impact, sensitive data could be exposed without the attacker needing privileges, although local access and user interaction are required.

This could compromise your privacy or the confidentiality of your data handled by Canva Affinity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is triggered by processing specially crafted EMF files in Canva Affinity version 3.0.1.3808. Detection involves monitoring for crashes or access violations (code c0000005) in the Affinity process when opening or handling EMF files, especially those containing malformed EMR_POLYDRAW records.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires local user interaction and affects the EMF file processing, you can detect potential exploitation by:'}, {'type': 'list_item', 'content': 'Monitoring application logs or system event logs for access violation errors related to Canva Affinity.'}, {'type': 'list_item', 'content': 'Using debugging or memory monitoring tools to detect out-of-bounds reads or crashes when opening EMF files.'}, {'type': 'paragraph', 'content': 'No specific network commands are applicable since the attack vector is local. However, you can use system commands to check the version of Canva Affinity installed to verify if it is vulnerable.'}, {'type': 'list_item', 'content': 'On Windows, use: "wmic product where "name like \'%Affinity%\'" get name, version" to identify the installed version.'}, {'type': 'list_item', 'content': 'Monitor for crash events in Windows Event Viewer under Application logs for faulting application Canva Affinity.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the vendor-provided patch released on March 17, 2026, which fixes the out-of-bounds read vulnerability in Canva Affinity version 3.0.1.3808.

Additional mitigation steps include:

• Avoid opening or processing untrusted or suspicious EMF files in Canva Affinity until the patch is applied.
• Restrict user permissions to prevent untrusted users from running Canva Affinity or opening EMF files.
• Monitor for unusual application crashes or access violations related to Canva Affinity as an indicator of attempted exploitation.

Useful 0 Not Useful 0