Description
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Published: 2026-03-17
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

An out‑of‑bounds read vulnerability in Canva Affinity's EMF functionality can allow an attacker to read data beyond the intended bounds during EMF file processing. This weakness, classified as CWE‑125, may lead to the disclosure of sensitive information that the user has access to on the system, including potentially private data contained in the affected memory region.

Affected Systems

The vulnerability affects Canva Affinity running on Windows. No specific affected versions are listed in the provided data, so any installation of the product on Windows could be potentially impacted until a vendor update is released.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves an attacker supplying a specially crafted EMF file to a user of Canva Affinity, though the exact session or privilege requirements are not specified in the data, so this is inferred rather than explicitly stated.

Generated by OpenCVE AI on March 19, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Canva Affinity's official website or support page for updates or patches addressing the Out‑of‑Bounds Read vulnerability.
  • Avoid opening and importing untrusted or unknown EMF files until a security patch is applied.
  • Consider disabling EMF import functionality if not required for workflow.

Generated by OpenCVE AI on March 19, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in Canva Affinity EMF Functionality Leading to Information Disclosure

Thu, 19 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:canva:affinity:*:*:*:*:*:windows:*:*

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:canva:affinity:-:*:*:*:*:windows:*:*

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
References

Tue, 17 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Canva
Canva affinity
CPEs cpe:2.3:a:canva:affinity:-:*:*:*:*:windows:*:*
Vendors & Products Canva
Canva affinity

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L'}

Subscriptions

Canva Affinity
cve-icon MITRE

Status: PUBLISHED

Assigner: talos

Published:

Updated: 2026-03-18T17:00:16.161Z

Reserved: 2025-12-05T16:34:24.486Z

Link: CVE-2025-64735

cve-icon Vulnrichment

Updated: 2026-03-17T20:11:28.373Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T19:15:58.930

Modified: 2026-03-19T12:21:10.653

Link: CVE-2025-64735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:54Z

Weaknesses