Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
AnalysisAI
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affecting Affinity version 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from process memory. With a CVSS score of 6.1 and a local attack vector requiring user interaction, this vulnerability poses a moderate risk of information disclosure with minimal availability impact.
Technical ContextAI
The vulnerability resides in Canva Affinity's EMF (Enhanced Metafile) file parsing logic, which is responsible for interpreting Windows-based vector graphics files. EMF is a legacy Microsoft graphics format that contains sequences of graphics device interface (GDI) commands. The root cause is classified under CWE-125 (Out-of-bounds Read), indicating that the EMF parser fails to properly validate buffer boundaries when processing EMF record structures or embedded data. When a crafted EMF file with malformed record headers or oversized data fields is processed, the parser reads beyond allocated memory buffers, exposing adjacent heap or stack memory. The affected product is identified via CPE cpe:2.3:a:canva:affinity:*:*:*:*:*:*:*:*, confirming this affects Canva's Affinity design suite across multiple versions.
RemediationAI
Immediately upgrade Canva Affinity to the patched version referenced in the Canva trust advisory (https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62). Until patching is complete, users should avoid opening EMF files from untrusted sources and consider disabling EMF import functionality if not essential to workflow. System administrators should restrict file uploads and enforce content scanning for EMF files in shared repositories. Endpoint detection and response (EDR) tools should be configured to alert on abnormal memory access patterns in Affinity processes. As a compensating control, restrict Affinity execution to isolated user contexts to limit the sensitivity of disclosed information.
A type confusion vulnerability in the EMF (Enhanced Metafile) functionality of Canva Affinity allows attackers to achiev
An out-of-bounds write vulnerability in Canva Affinity's EMF file processing allows attackers to achieve code execution
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file processing functionality, al
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file handling functionality of Canva Affinity,
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, allow
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity,
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file handling that allows attacke
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file processing functionality, af
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity,
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affec
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file handling functionality, affe
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality that a
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208785