CVE-2025-61952 Overview
CVE-2025-61952 is an out-of-bounds read vulnerability in the Enhanced Metafile (EMF) parsing functionality of Canva Affinity on Windows. An attacker can craft a malicious EMF file that, when opened by a victim in Affinity, triggers a read beyond the bounds of an allocated buffer. The condition can disclose sensitive memory contents and disrupt application availability. The flaw is tracked under CWE-125: Out-of-Bounds Read and was reported through Cisco Talos research.
Critical Impact
Successful exploitation can disclose sensitive in-process memory and crash the Affinity application, requiring only that a user open an attacker-supplied EMF file.
Affected Products
- Canva Affinity (Windows)
- Affinity applications processing EMF graphics files
- Workstations running vulnerable versions of Canva Affinity
Discovery Timeline
- 2026-03-17 - CVE-2025-61952 published to the National Vulnerability Database (NVD)
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2025-61952
Vulnerability Analysis
The vulnerability resides in the EMF file format handler used by Canva Affinity. EMF is a Windows vector graphics format composed of records describing drawing operations. When Affinity parses a malformed EMF record, the parser reads memory outside the bounds of the allocated buffer associated with the record data.
The issue requires local file access and user interaction. A victim must open or import the crafted EMF file inside Affinity for the parsing path to execute. The read primitive can leak adjacent heap memory, potentially exposing pointers, tokens, or document data, and can also cause the process to terminate when invalid memory is dereferenced.
Root Cause
The root cause is missing or insufficient validation of length and offset fields within EMF records before the parser reads record payload data. The parser trusts attacker-controlled size values from the file, then performs reads against a smaller backing buffer. This is a classic [CWE-125] pattern in legacy raster and metafile parsers.
Attack Vector
Exploitation follows a local, user-assisted path. An attacker delivers a crafted .emf file through email, a shared document, a design asset bundle, or a website. The victim opens the file in Affinity, triggering the vulnerable EMF processing routine. No elevated privileges are required for the attacker, but user interaction is mandatory.
Detailed technical analysis is available in the Talos Intelligence Vulnerability Report TALOS-2025-2317.
Detection Methods for CVE-2025-61952
Indicators of Compromise
- Unexpected crashes of Affinity processes correlated with opening .emf files from untrusted sources
- Windows Error Reporting (WER) entries citing access violations in Affinity image parsing modules
- Inbound .emf attachments or downloads from low-reputation senders or domains
- Anomalous child-process or memory-dump activity originating from Affinity executables
Detection Strategies
- Monitor endpoint telemetry for Affinity process crashes (AppHangB1, APPCRASH) tied to EMF file handles
- Use file-content inspection to flag EMF files with malformed record sizes or oversized header offsets
- Correlate email gateway and web proxy logs for delivery of .emf attachments to design and marketing users
- Hunt for memory dumps or .dmp artifacts written under Affinity user profile paths shortly after file opens
Monitoring Recommendations
- Track file-open events for .emf files inside Affinity processes through EDR file and process telemetry
- Alert on repeated Affinity crashes on the same endpoint within short time windows
- Inventory hosts running Canva Affinity to scope exposure and prioritize patch deployment
- Review user-reported document import failures as potential exploitation attempts
How to Mitigate CVE-2025-61952
Immediate Actions Required
- Update Canva Affinity to the latest version published on the Canva Trust Center
- Restrict opening of EMF files received from external or untrusted sources until patched
- Notify design and creative teams about the risk of opening unsolicited .emf files
- Inventory endpoints with Affinity installed and confirm version status
Patch Information
Canva has published security guidance through the Canva Trust Center. Administrators should consult the vendor advisory for the fixed build number and apply updates across all Windows endpoints running Affinity. Refer to the Talos report TALOS-2025-2317 for vulnerability scope.
Workarounds
- Block .emf file delivery at email and web gateways for users who do not require the format
- Use Windows file association policies to prevent automatic opening of EMF files by Affinity
- Open untrusted graphics files only inside isolated virtual machines or sandboxed sessions
- Apply application allowlisting to restrict Affinity execution to known clean document repositories
# Example: block .emf attachments at an email gateway (pseudo-rule)
if attachment.extension == ".emf" and sender.reputation < trusted_threshold:
action = quarantine
notify = security_operations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
