CVE-2025-61979: Canva Affinity Information Disclosure Flaw

CVE-2025-61979 Overview

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information. This vulnerability affects users who open malicious EMF files within the Canva Affinity application on Windows systems.

Critical Impact

This vulnerability enables attackers to read memory beyond allocated buffer boundaries, potentially exposing sensitive data stored in process memory or causing application crashes leading to denial of service.

Affected Products

• Canva Affinity for Windows (all versions prior to patch)

Discovery Timeline

• 2026-03-17 - CVE-2025-61979 published to NVD
• 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2025-61979

Vulnerability Analysis

This vulnerability is classified as CWE-125 (Out-of-bounds Read), which occurs when software reads data past the end or before the beginning of the intended buffer. In the context of Canva Affinity's EMF processing functionality, the application fails to properly validate boundary conditions when parsing Enhanced Metafile records. When a user opens a maliciously crafted EMF file, the parser may attempt to read memory locations beyond the allocated buffer, potentially exposing sensitive information from adjacent memory regions.

The vulnerability requires local access and user interaction—specifically, a victim must be convinced to open a malicious EMF file. Upon successful exploitation, attackers could potentially extract sensitive data that resides in process memory, including cryptographic keys, user credentials, or other confidential information. Additionally, attempting to read invalid memory addresses may result in application crashes, causing denial of service.

Root Cause

The root cause of this vulnerability lies in insufficient bounds checking within the EMF file parsing routines of Canva Affinity. When processing EMF record structures, the application does not adequately validate that the requested read operations remain within the boundaries of the allocated buffer. Malformed EMF files can contain manipulated size or offset values that direct the parser to read beyond the intended memory regions.

Attack Vector

This vulnerability requires local access to the target system, meaning an attacker cannot exploit it remotely over a network without first delivering the malicious payload. The attack vector involves:

1. Delivery: An attacker crafts a specially designed EMF file with manipulated record structures
2. Social Engineering: The attacker must convince the victim to open the malicious EMF file using Canva Affinity
3. Exploitation: Upon parsing the malformed EMF file, the application reads memory beyond buffer boundaries
4. Impact: The attacker may gain access to sensitive data or cause application crashes

The exploitation does not require elevated privileges, but does require user interaction to open the malicious file. This attack is particularly relevant for design professionals who frequently work with various graphic file formats in Canva Affinity.

Detection Methods for CVE-2025-61979

Indicators of Compromise

• Unexpected crashes or instability in Canva Affinity when opening EMF files
• EMF files from untrusted sources with unusually large or malformed header values
• Memory access violations logged in Windows Event Viewer related to Affinity processes
• Suspicious EMF files with atypical record structures or embedded data

Detection Strategies

• Deploy endpoint detection rules to monitor for abnormal memory access patterns in Canva Affinity processes
• Implement file-based detection for EMF files with malformed or suspicious header structures
• Configure application whitelisting to restrict opening of EMF files from untrusted sources
• Utilize behavioral analysis to detect memory read violations in graphics processing applications

Monitoring Recommendations

• Monitor Windows Event Logs for application crashes related to Canva Affinity processes
• Enable enhanced logging for file operations involving EMF format files
• Implement network monitoring to detect delivery of potentially malicious EMF files via email or web downloads
• Review user activity for patterns of opening files from untrusted external sources

How to Mitigate CVE-2025-61979

Immediate Actions Required

• Apply the latest security patches from Canva for the Affinity application
• Restrict opening of EMF files from untrusted or unknown sources
• Educate users about the risks of opening unsolicited graphic files
• Consider temporarily disabling EMF file handling until patches are applied

Patch Information

Canva has published a security advisory addressing this vulnerability. Users should update Canva Affinity to the latest patched version available through official channels. For detailed patch information and download links, refer to the Canva Trust Advisory. Additional technical details are available in the Talos Intelligence Vulnerability Report.

Workarounds

• Configure email gateways to quarantine or block EMF file attachments from external sources
• Implement application control policies to prevent Canva Affinity from processing EMF files from specific directories
• Use sandboxed environments when working with EMF files from untrusted sources
• Consider using alternative file formats where possible until the vulnerability is patched

# Example: Block EMF file extensions at the email gateway (PowerShell for Exchange)
Set-TransportRule -Name "Block EMF Attachments" -AttachmentExtensionMatchesWords "emf" -RejectMessageReasonText "EMF attachments blocked due to security policy"