CVE-2025-66000
Out-of-Bounds Read in Canva Affinity EMF Risks Data Exposure
Publication date: 2026-03-17
Last updated on: 2026-03-19
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canva | affinity | to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66000 is an out-of-bounds read vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity version 3.0.1.3808.
The flaw occurs specifically in handling the EMR_POLYDRAW record type within EMF files, where the Count field is not properly validated.
If the Count value is set maliciously large, the program reads beyond the allocated memory bounds when accessing arrays of points and types, leading to an out-of-bounds read.
This can cause the application to read arbitrary memory within the Affinity process, potentially leaking sensitive information.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker to perform an out-of-bounds read, which can lead to the disclosure of sensitive information from the memory of the Affinity process.
Because the vulnerability has a high confidentiality impact, sensitive data could be exposed without the attacker needing privileges, although local access and user interaction are required.
This could compromise your privacy or the confidentiality of your data handled by Canva Affinity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is triggered by processing specially crafted EMF files in Canva Affinity version 3.0.1.3808. Detection involves monitoring for crashes or access violations (code c0000005) in the Affinity process when opening or handling EMF files, especially those containing malformed EMR_POLYDRAW records.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires local user interaction and affects the EMF file processing, you can detect potential exploitation by:'}, {'type': 'list_item', 'content': 'Monitoring application logs or system event logs for access violation errors related to Canva Affinity.'}, {'type': 'list_item', 'content': 'Using debugging or memory monitoring tools to detect out-of-bounds reads or crashes when opening EMF files.'}, {'type': 'paragraph', 'content': 'No specific network commands are applicable since the attack vector is local. However, you can use system commands to check the version of Canva Affinity installed to verify if it is vulnerable.'}, {'type': 'list_item', 'content': 'On Windows, use: "wmic product where "name like \'%Affinity%\'" get name, version" to identify the installed version.'}, {'type': 'list_item', 'content': 'Monitor for crash events in Windows Event Viewer under Application logs for faulting application Canva Affinity.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the vendor-provided patch released on March 17, 2026, which fixes the out-of-bounds read vulnerability in Canva Affinity version 3.0.1.3808.
Additional mitigation steps include:
- Avoid opening or processing untrusted or suspicious EMF files in Canva Affinity until the patch is applied.
- Restrict user permissions to prevent untrusted users from running Canva Affinity or opening EMF files.
- Monitor for unusual application crashes or access violations related to Canva Affinity as an indicator of attempted exploitation.