CVE-2025-66342
Received Received - Intake
Type Confusion in Canva Affinity EMF Leads to Code Execution

Publication date: 2026-03-17

Last updated on: 2026-03-19

Assigner: Talos

Description
A type confusion vulnerability exists in the EMF functionality of Canva Affinity. A specially crafted EMF file can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66342
EUVD
EUVD-2025-208803
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
canva affinity to 3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-66342 is a type confusion vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity, specifically in version 3.0.1.3808.

The vulnerability occurs because the application improperly handles EMF records, particularly when the ihBrush index in an EMR_FRAMERGN record references an invalid brush object index that does not match any valid brush created by EMR_CREATEBRUSHINDIRECT records.

This mismatch causes the application to treat an arbitrary object as a brush without proper validation, leading to type confusion.

When the invalid brush object is accessed, uninitialized fields are dereferenced, causing memory corruption and potentially crashes or access violations.

Exploiting this vulnerability can allow an attacker to execute arbitrary code on the affected system.

Impact Analysis

This vulnerability can lead to memory corruption in Canva Affinity when processing specially crafted EMF files.

An attacker who can provide a malicious EMF file could exploit this flaw to execute arbitrary code on your system.

The impact includes potential unauthorized access, data modification, or disruption of system availability.

Because the vulnerability requires local access and user interaction, an attacker would need to convince a user to open or process a crafted EMF file.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by analyzing EMF files processed by Canva Affinity, specifically looking for malformed EMR_FRAMERGN records where the ihBrush index does not match any valid brush object created by EMR_CREATEBRUSHINDIRECT records.

Detection involves inspecting EMF files for inconsistencies in the brush index references, which may require custom scripts or tools to parse EMF records and validate the ihBrush indices.

Since the vulnerability requires local access and user interaction, monitoring for crashes or access violation exceptions in Canva Affinity when opening EMF files can also indicate exploitation attempts.

No specific commands are provided in the available resources, but enabling debugging tools such as pageheap to detect invalid memory accesses during EMF file processing can help identify exploitation.

Mitigation Strategies

Immediate mitigation steps include avoiding opening or processing untrusted or specially crafted EMF files in Canva Affinity, especially version 3.0.1.3808.

Restrict local access to systems running vulnerable versions of Canva Affinity to prevent exploitation, as the vulnerability requires local access and user interaction.

Monitor for application crashes or abnormal behavior when handling EMF files, which may indicate exploitation attempts.

Apply any available patches or updates from the vendor once released to address this type confusion vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66342. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart