CVE-2026-20726
Out-of-Bounds Read in Canva Affinity EMF Risks Data Leak
Publication date: 2026-03-17
Last updated on: 2026-03-19
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canva | affinity | to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-20726 is an out-of-bounds read vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity version 3.0.1.3808.
The vulnerability occurs specifically in the handling of the EMR_POLYBEZIERTO16 record type within EMF files, where a Count field specifies the number of PointS objects in an array.
If the Count value is excessively large, it causes the program to read beyond the allocated memory boundary during iteration over the array, leading to an out-of-bounds read.
This improper bounds checking allows an attacker to craft a malicious EMF file that triggers reading beyond valid memory, potentially disclosing sensitive information from the process memory.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "Exploitation of this vulnerability allows an attacker to perform an out-of-bounds read, which can lead to the disclosure of sensitive information from the affected process's memory."}, {'type': 'paragraph', 'content': 'The vulnerability has a CVSS v3.1 score of 6.1, indicating a moderate severity with high confidentiality impact but no impact on integrity and low impact on availability.'}, {'type': 'paragraph', 'content': 'The attack requires local access and user interaction but no special privileges, meaning an attacker could trick a user into opening a malicious EMF file to exploit this issue.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when processing specially crafted EMF files in Canva Affinity version 3.0.1.3808, specifically in the handling of the EMR_POLYBEZIERTO16 record type. Detection involves identifying attempts to open or process suspicious EMF files with an abnormally large Count value in the EMR_POLYBEZIERTO16 record.
Since the vulnerability triggers an access violation (code c0000005) due to out-of-bounds reads, monitoring application crash logs or Windows Event Viewer for such exceptions during EMF file processing can help detect exploitation attempts.
Commands or steps to detect this vulnerability include:
- Use debugging tools with pageheap enabled to monitor Canva Affinity for access violations when opening EMF files.
- Check Windows Event Logs for application errors related to Canva Affinity crashes (e.g., using Event Viewer or PowerShell commands like `Get-WinEvent`).
- Scan EMF files for suspiciously large Count values in the EMR_POLYBEZIERTO16 record by parsing the EMF file structure with custom scripts or forensic tools.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the patch released by Canva on March 17, 2026, which addresses this out-of-bounds read vulnerability in Canva Affinity version 3.0.1.3808.
Additional immediate steps include:
- Avoid opening or processing untrusted or suspicious EMF files in Canva Affinity until the patch is applied.
- Implement application whitelisting and restrict user permissions to limit the ability to open malicious files.
- Monitor for unusual application crashes or behavior that could indicate exploitation attempts.