CVE-2025-64735 Overview
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information. This vulnerability requires user interaction, as the victim must open a malicious EMF file for the attack to succeed.
Critical Impact
Successful exploitation could allow attackers to read sensitive memory contents beyond intended boundaries, potentially exposing confidential data or enabling further attacks through information disclosure.
Affected Products
- Canva Affinity for Windows (all versions prior to patch)
Discovery Timeline
- 2026-03-17 - CVE-2025-64735 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2025-64735
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read), which occurs when software reads data past the end or before the beginning of an intended buffer. In the context of Canva Affinity's EMF processing functionality, the application fails to properly validate boundaries when parsing Enhanced Metafile records.
When Canva Affinity processes an EMF file, it parses various EMF records that define graphical operations. The vulnerability manifests when certain record structures within the EMF file specify lengths or offsets that cause the parser to read memory beyond the allocated buffer. This can result in the exposure of adjacent memory contents, which may contain sensitive application data, heap metadata, or pointers that could aid further exploitation.
The local attack vector requires the victim to open a malicious EMF file, but the attack complexity is low once the file is opened. No special privileges are required by the attacker, making this vulnerability accessible to a wide range of threat actors who can deliver malicious files through email attachments, downloads, or other file-sharing mechanisms.
Root Cause
The root cause of this vulnerability lies in insufficient bounds checking within the EMF parsing code of Canva Affinity. When processing EMF records, the application trusts attacker-controlled length or offset values without properly validating that the resulting memory access falls within the bounds of the allocated buffer. This allows crafted EMF files to specify parameters that cause reads beyond the intended data boundaries.
Attack Vector
The attack requires local access and user interaction. An attacker must craft a malicious EMF file containing specially constructed records that trigger the out-of-bounds read condition. The attack sequence typically involves:
- Attacker creates a malicious EMF file with crafted record structures containing invalid length or offset values
- Attacker delivers the file to the victim through email, file sharing, or other distribution methods
- Victim opens the malicious EMF file in Canva Affinity
- The EMF parser processes the malformed records and reads memory beyond buffer boundaries
- Sensitive information from adjacent memory is disclosed, potentially enabling further attacks
The vulnerability does not directly allow code execution but could expose memory contents that reveal sensitive information or facilitate additional exploitation techniques.
Detection Methods for CVE-2025-64735
Indicators of Compromise
- Unusual EMF files received via email or downloaded from untrusted sources
- Canva Affinity application crashes or unexpected behavior when opening EMF files
- Memory access violations or exception logs related to EMF processing
- Suspicious EMF files with abnormally structured or oversized records
Detection Strategies
- Monitor file system activity for EMF files from untrusted sources being accessed by Canva Affinity
- Implement endpoint detection rules to identify malformed EMF file structures
- Deploy application-level monitoring to detect memory access violations during EMF parsing
- Use file integrity monitoring to identify suspicious EMF files in user directories
Monitoring Recommendations
- Enable verbose logging for Canva Affinity to capture file processing events
- Monitor for application exceptions or crashes related to graphics file handling
- Track network activity for EMF file downloads from untrusted domains
- Implement user behavior analytics to detect unusual file handling patterns
How to Mitigate CVE-2025-64735
Immediate Actions Required
- Apply the latest security updates from Canva for affected Affinity products
- Restrict opening EMF files from untrusted or unknown sources
- Implement email filtering to quarantine EMF attachments pending security review
- Educate users about the risks of opening files from unknown sources
- Consider temporarily disabling EMF file handling if business requirements allow
Patch Information
Canva has released security updates to address this vulnerability. Administrators should consult the Canva Trust Advisory for detailed patch information and update instructions. Additional technical details are available in the Talos Intelligence Vulnerability Report.
Workarounds
- Block or quarantine EMF file attachments at the email gateway level
- Configure endpoint protection to scan EMF files before they are opened
- Implement application whitelisting to restrict file types processed by Canva Affinity
- Use virtualized or sandboxed environments when handling EMF files from untrusted sources
# Example: Block EMF files at email gateway (PowerShell for Exchange)
New-TransportRule -Name "Block EMF Attachments" `
-AttachmentNameMatchesPatterns "*.emf" `
-RejectMessageReasonText "EMF attachments are blocked for security reasons"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
