Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
AnalysisAI
Canva Affinity's EMF file parser is vulnerable to an out-of-bounds read (CWE-125) when processing specially crafted EMF files, allowing local attackers to extract sensitive data from application memory. This medium-severity vulnerability affects users who open untrusted EMF files and currently has no available patch. The attack requires user interaction and local access but poses a real information disclosure risk.
Technical ContextAI
The vulnerability is rooted in improper bounds checking when parsing EMF (Enhanced Metafile) format files, a legacy graphics file format commonly used for vector graphics interchange on Windows systems. The root cause is classified under CWE-125 (Out-of-bounds Read), which occurs when a program reads data from a memory location outside the intended buffer boundaries without proper validation. Canva Affinity (CPE: cpe:2.3:a:canva:affinity:*:*:*:*:*:*:*:*) handles EMF file import for compatibility with legacy graphics workflows, but the EMF parsing library or in-house parser fails to validate record lengths and offsets before dereferencing memory structures. This allows an attacker to craft an EMF file with malformed record headers that cause the parser to read adjacent memory regions, potentially exposing heap data, stack contents, or other sensitive process information.
RemediationAI
Apply the security patch provided by Canva through the official security advisory at https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62 to upgrade Affinity to a patched version that includes bounds-checked EMF parsing. Until patching is completed, mitigate by disabling EMF file import in Affinity if the feature is non-essential for workflows, or restrict file handling to EMF files from trusted sources only. System administrators managing Affinity deployments should implement file type filtering at the network or endpoint level to block unexpected EMF file delivery. Additionally, monitor for suspicious file submissions with EMF extensions and educate users not to open unsolicited EMF files from untrusted sources.
A type confusion vulnerability in the EMF (Enhanced Metafile) functionality of Canva Affinity allows attackers to achiev
An out-of-bounds write vulnerability in Canva Affinity's EMF file processing allows attackers to achieve code execution
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file processing functionality, al
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file handling functionality of Canva Affinity,
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, allow
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity,
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file handling that allows attacke
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file processing functionality, af
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity,
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affec
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affec
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file handling functionality, affe
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12618