An out-of-bounds read vulnerability (CWE-125) has been identified in the EMF processing component of Canva Affinity. The flaw allows a malformed EMF file to cause the application to read data from memory beyond the intended bounds. If successfully triggered, this can expose confidential data that resides outside the intended buffer, potentially leaking sensitive information to an attacker. The description explicitly states that "an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information."

The affected product is Canva Affinity, which runs on Windows platforms as indicated by the CPE string. No specific version numbers are disclosed in the provided data, so all releases of the product should be considered potentially vulnerable until a vendor update is confirmed.

The CVSS score of 6.1 indicates a moderate severity, while the EPSS score of less than 1% suggests that current exploitation attempts are unlikely. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the attack requires an attacker to supply a specially crafted EMF file; the victim must open or process the file, which could occur through an email attachment, a download, or an automated import feature. The requirement for user interaction or automatic processing limits the breadth of possible exploitation vectors, but the potential for sensitive data leakage remains significant if the flaw is exploited.