CVE-2025-66342
Type Confusion in Canva Affinity EMF Leads to Code Execution
Publication date: 2026-03-17
Last updated on: 2026-03-19
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canva | affinity | to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66342 is a type confusion vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity, specifically in version 3.0.1.3808.
The vulnerability occurs because the application improperly handles EMF records, particularly when the ihBrush index in an EMR_FRAMERGN record references an invalid brush object index that does not match any valid brush created by EMR_CREATEBRUSHINDIRECT records.
This mismatch causes the application to treat an arbitrary object as a brush without proper validation, leading to type confusion.
When the invalid brush object is accessed, uninitialized fields are dereferenced, causing memory corruption and potentially crashes or access violations.
Exploiting this vulnerability can allow an attacker to execute arbitrary code on the affected system.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption in Canva Affinity when processing specially crafted EMF files.
An attacker who can provide a malicious EMF file could exploit this flaw to execute arbitrary code on your system.
The impact includes potential unauthorized access, data modification, or disruption of system availability.
Because the vulnerability requires local access and user interaction, an attacker would need to convince a user to open or process a crafted EMF file.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing EMF files processed by Canva Affinity, specifically looking for malformed EMR_FRAMERGN records where the ihBrush index does not match any valid brush object created by EMR_CREATEBRUSHINDIRECT records.
Detection involves inspecting EMF files for inconsistencies in the brush index references, which may require custom scripts or tools to parse EMF records and validate the ihBrush indices.
Since the vulnerability requires local access and user interaction, monitoring for crashes or access violation exceptions in Canva Affinity when opening EMF files can also indicate exploitation attempts.
No specific commands are provided in the available resources, but enabling debugging tools such as pageheap to detect invalid memory accesses during EMF file processing can help identify exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding opening or processing untrusted or specially crafted EMF files in Canva Affinity, especially version 3.0.1.3808.
Restrict local access to systems running vulnerable versions of Canva Affinity to prevent exploitation, as the vulnerability requires local access and user interaction.
Monitor for application crashes or abnormal behavior when handling EMF files, which may indicate exploitation attempts.
Apply any available patches or updates from the vendor once released to address this type confusion vulnerability.