CVE-2025-66503
Out-of-Bounds Read in Canva Affinity EMF Risks Data Leak
Publication date: 2026-03-17
Last updated on: 2026-03-19
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canva | affinity | to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can be exploited by an attacker who provides a specially crafted EMF file to the affected Canva Affinity software.'}, {'type': 'paragraph', 'content': "Successful exploitation leads to an out-of-bounds read, which can disclose sensitive information from the application's memory."}, {'type': 'paragraph', 'content': 'The CVSS score indicates a high confidentiality impact, meaning that sensitive data could be exposed, but it requires local access and user interaction.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2025-66503 is an out-of-bounds read vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity version 3.0.1.3808.
The vulnerability arises specifically in the handling of the EMR_POLYBEZIERTO record type within EMF files. EMF files store images in a device-independent format, and the EMR_POLYBEZIERTO record contains a Count field specifying the number of PointL objects in an array.
The issue occurs when the calculation based on the Count field causes the application to read beyond the allocated memory bounds while iterating over the PointL objects, leading to an out-of-bounds read.
This can result in the disclosure of arbitrary memory contents, potentially exposing sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing EMF files processed by Canva Affinity, specifically looking for malformed EMR_POLYBEZIERTO records with an abnormally large Count value that causes out-of-bounds reads.
Detection can involve monitoring for application crashes or access violations (code c0000005) when opening EMF files, especially with debugging tools like pageheap enabled.
While no specific commands are provided, you can use debugging tools such as Windows Debugger (WinDbg) with pageheap enabled to catch access violations during EMF file processing.
- Enable pageheap for the Canva Affinity executable to detect memory access violations.
- Use WinDbg or similar debugger to monitor for access violation exceptions (c0000005) when opening suspicious EMF files.
- Scan EMF files for EMR_POLYBEZIERTO records with Count fields that exceed expected sizes using custom scripts or binary analysis tools.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the vendor-provided patch released on March 17, 2026, which addresses the out-of-bounds read vulnerability in Canva Affinity.
Until the patch is applied, avoid opening untrusted or suspicious EMF files with Canva Affinity to prevent exploitation.
Additionally, consider restricting user interaction with Canva Affinity or running it with limited privileges to reduce the risk.