CVE-2026-22882
Out-of-Bounds Read in Canva Affinity EMF Risks Data Leak
Publication date: 2026-03-17
Last updated on: 2026-03-19
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canva | affinity | to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22882 is an out-of-bounds read vulnerability in the EMF (Enhanced Metafile Format) processing functionality of Canva Affinity, specifically in version 3.0.1.3808.
The vulnerability occurs when the application parses specially crafted EMF files containing malformed EMR_POLYPOLYLINE records. These records describe multiple connected line segments in the image file.
Due to incorrect handling, the application reads smaller-sized PointS objects (2 bytes each) instead of the expected larger PointL objects (4 bytes each), causing it to read beyond the allocated memory buffer.
This out-of-bounds read can lead to the disclosure of sensitive information from memory.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can be exploited by an attacker who convinces a user to open a specially crafted EMF file in Canva Affinity.'}, {'type': 'paragraph', 'content': "Because the vulnerability allows an out-of-bounds read, it can lead to the disclosure of sensitive information from the application's memory."}, {'type': 'paragraph', 'content': 'The CVSS score indicates a local attack vector with low complexity and no privileges required, but user interaction is needed.'}, {'type': 'paragraph', 'content': 'The impact is primarily on confidentiality, with no impact on integrity and low impact on availability.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from processing specially crafted EMF files containing malformed EMR_POLYPOLYLINE records in Canva Affinity version 3.0.1.3808. Detection involves identifying attempts to open or process suspicious EMF files with abnormal EMR_POLYPOLYLINE record fields.
Since the vulnerability is triggered by local file parsing, network detection may be limited to monitoring for EMF files transferred or opened on systems running the affected software.
Suggested commands to detect potential exploitation attempts include:
- On Windows, use PowerShell to scan for EMF files with suspicious sizes or metadata in user directories: `Get-ChildItem -Path C:\Users\*\Documents -Filter *.emf -Recurse | Where-Object { $_.Length -gt <expected_size_threshold> }`
- Monitor application crash logs or Windows Event Viewer for access violation errors (code c0000005) related to Canva Affinity processes, which may indicate out-of-bounds reads.
- Use file inspection tools or scripts to parse EMF files and check EMR_POLYPOLYLINE record fields (NumberOfPolylines and Count) for anomalous values exceeding expected limits.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid opening or processing EMF files from untrusted or unknown sources in Canva Affinity version 3.0.1.3808.
- Restrict user permissions to limit local file access and reduce the risk of exploitation, since the attack vector is local with user interaction required.
- Monitor for and investigate any application crashes or unusual behavior in Canva Affinity that may indicate exploitation attempts.
- Apply any patches or updates provided by Canva Affinity or the vendor addressing this vulnerability once available.