CVE-2025-66617
Out-of-Bounds Read in Canva Affinity EMF Risks Data Leak
Publication date: 2026-03-17
Last updated on: 2026-03-19
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canva | affinity | to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66617 is an out-of-bounds read vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity version 3.0.1.3808.
The flaw occurs specifically in the handling of the EMR_POLYPOLYLINE16 record type within EMF files, where the application reads beyond the allocated buffer due to incorrect size calculations of an array of points.
This causes the application to access memory outside the intended bounds, potentially leading to the disclosure of arbitrary memory contents.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker to perform an out-of-bounds read, which can lead to the disclosure of sensitive information stored in the memory of the Affinity process.
The vulnerability has a high confidentiality impact, meaning that sensitive data could be exposed without affecting data integrity or causing significant availability issues.
However, exploitation requires local access and user interaction, and the attack complexity is low with no privileges required.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered by specially crafted EMF files processed locally by Canva Affinity version 3.0.1.3808. Detection involves identifying such malicious EMF files or monitoring the application behavior for out-of-bounds read errors.
Since the vulnerability arises from the EMR_POLYPOLYLINE16 record in EMF files, you can inspect EMF files for irregularities in the recordSize and the calculated size of the aPoints array.
Commands or tools to detect this vulnerability might include:
- Using a hex editor or EMF file parser to analyze EMF files for malformed EMR_POLYPOLYLINE16 records where the aPoints array size exceeds the declared recordSize.
- Enabling debugging tools such as pageheap on Windows to monitor Canva Affinity for access violations or crashes related to EMF file processing.
- Monitoring application logs or system event logs for exceptions or crashes triggered by EMF file handling.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch released by the vendor on March 17, 2026, which addresses this vulnerability in Canva Affinity version 3.0.1.3808.
Until the patch is applied, avoid opening or processing untrusted or suspicious EMF files with Canva Affinity to prevent exploitation.
Additionally, consider restricting user permissions to limit local attack vectors and educate users about the risks of opening files from untrusted sources.