CVE-2025-62500
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Canva Affinity 3.0.1.3808
Affinity - https://www.affinity.studio/
6.1 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
CWE-125 - Out-of-bounds Read
Affinity is a professional and versatile suite of creative applications designed for graphic design, photo editing, and desktop publishing. It provides a fast, streamlined experience with powerful tools to create illustrations, edit images, and design print or digital layouts. The suite is widely regarded as a capable and affordable alternative the software like Adobe Creative Cloud.
Affinity applications support the EMF file format, and this vulnerability is associated with how EMF files are processed.
An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:
Offset Size Name
------ ---- --------------------------------------
0x00 0x04 recordType (0x00000001 )
0x04 0x04 recordSize
0x08 0x10 bounds
0x18 0x10 frame
0x28 0x04 recordSignature (0x464D4520)
0x2C 0x04 version
0x30 0x04 sizeInBytes
0x34 0x04 numOfRecords
0x38 0x02 Handles
0x3A 0x02 Reserved
0x3C 0x04 nDescription
0x40 0x04 offDescription
0x44 0x04 PalEntries
Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.
For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.
The nDescription and offDescription fields define the EmfDescription. EmfDescription is a null‑terminated Unicode string of arbitrary length. The nDescription field specifies the number of characters in the EmfDescription, and the offDescription field specifies the offset from the beginning of the EMR_HEADER record to the array that contains the EmfDescription.
This vulnerability occurs because the value of nDescription is not validated. If (offDescription + nDescription) is greater than the recordSize field, then an out‑of‑bounds read occurs when accessing the EmfDescription. This behavior can be observed while debugging with pageheap enabled.
0:039> g
Breakpoint 0 hit
libpersona!Emf::EmfLoader::LoadDocument+0x3a3fa:
00007ffa`4ef0857a 8b4740 mov eax,dword ptr [rdi+40h] ds:000001d6`d4830040=0000006c ;<---------------- (1)
0:032> r
rax=00000020aa9ff4b0 rbx=000001d9ab76e580 rcx=000001d9ab698ff0
rdx=00000020aa9ff4b8 rsi=000001d9c3b34d20 rdi=000001d6d4830000
rip=00007ffa4ef0857a rsp=00000020aa9ff040 rbp=00000020aa9ff390
r8=0000000000000000 r9=0000000000000010 r10=000001d999ff4ff0
r11=000001d999ff4ff0 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x3a3fa:
00007ffa`4ef0857a 8b4740 mov eax,dword ptr [rdi+40h] ds:000001d6`d4830040=0000006c
0:032> db 000001d6d4830000 ;<---------------- (2)
000001d6`d4830000 01 00 00 00 c0 00 00 00-64 00 00 00 64 00 00 00 ........d...d...
000001d6`d4830010 1e 02 00 00 77 02 00 00-00 00 00 00 00 00 00 00 ....w...........
000001d6`d4830020 20 03 00 00 58 02 00 00-20 45 4d 46 00 00 01 00 ...X... EMF....
000001d6`d4830030 64 02 00 00 15 00 00 00-02 fb ee 28 00 00 00 29 d..........(...)
000001d6`d4830040 6c 00 00 00 00 00 00 00-00 00 00 00 0a 00 00 38 l..............8
000001d6`d4830050 04 00 00 1e 03 00 00 4e-01 00 00 00 00 00 00 00 .......N........
000001d6`d4830060 00 00 00 00 00 00 00 30-2d 0c 00 b0 18 05 00 54 .......0-......T
000001d6`d4830070 00 72 00 61 00 6e 00 73-00 66 00 6f 00 72 00 6d .r.a.n.s.f.o.r.m
0:032> t
libpersona!Emf::EmfLoader::LoadDocument+0x3a3fd:
00007ffa`4ef0857d 85c0 test eax,eax
0:032> t
libpersona!Emf::EmfLoader::LoadDocument+0x3a3ff:
00007ffa`4ef0857f 0f841c010000 je libpersona!Emf::EmfLoader::LoadDocument+0x3a521 (00007ffa`4ef086a1) [br=0]
0:032> t
libpersona!Emf::EmfLoader::LoadDocument+0x3a405:
00007ffa`4ef08585 8b773c mov esi,dword ptr [rdi+3Ch] ds:000001d6`d483003c=29000000 ;<---------------- (3)
0:032> t
libpersona!Emf::EmfLoader::LoadDocument+0x3a408:
00007ffa`4ef08588 85f6 test esi,esi
At (1), offDescription is read and stored in the eax register. The contents of the EMR_HEADER record are examined at (2). Note that the size of the EMR_HEADER record is 0xC0. At (3), nDescription is read, and its value is larger than the total size of the EMR_HEADER record.
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a40a:
00007ffa`4ef0858a 0f8411010000 je libpersona!Emf::EmfLoader::LoadDocument+0x3a521 (00007ffa`4ef086a1) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a410:
00007ffa`4ef08590 448be0 mov r12d,eax
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a413:
00007ffa`4ef08593 4c03e7 add r12,rdi
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a416:
00007ffa`4ef08596 0f8405010000 je libpersona!Emf::EmfLoader::LoadDocument+0x3a521 (00007ffa`4ef086a1) [br=0]
0:032> r
rax=000000000000006c rbx=000001d9ab76e580 rcx=000001d9ab698ff0
rdx=00000020aa9ff4b8 rsi=0000000029000000 rdi=000001d6d4830000
rip=00007ffa4ef08596 rsp=00000020aa9ff040 rbp=00000020aa9ff390
r8=0000000000000000 r9=0000000000000010 r10=000001d999ff4ff0
r11=000001d999ff4ff0 r12=000001d6d483006c r13=000001d6d4830000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x3a416:
00007ffa`4ef08596 0f8405010000 je libpersona!Emf::EmfLoader::LoadDocument+0x3a521 (00007ffa`4ef086a1) [br=0]
0:032> db 000001d6d483006c ;<---------------- (4)
000001d6`d483006c 18 05 00 54 00 72 00 61-00 6e 00 73 00 66 00 6f ...T.r.a.n.s.f.o
000001d6`d483007c 00 72 00 6d 00 20 00 4f-00 70 00 65 00 72 00 61 .r.m. .O.p.e.r.a
000001d6`d483008c 00 74 00 69 00 6f 00 6e-00 73 00 20 00 45 00 4d .t.i.o.n.s. .E.M
000001d6`d483009c 00 46 00 00 00 54 00 72-00 61 00 6e 00 73 00 66 .F...T.r.a.n.s.f
000001d6`d48300ac 00 6f 00 72 00 6d 00 20-00 44 00 65 00 6d 00 6f .o.r.m. .D.e.m.o
000001d6`d48300bc 00 00 00 00 00 00 00 11-00 00 00 0c 00 00 00 08 ................
000001d6`d48300cc 00 00 00 09 00 00 00 10-00 00 00 20 03 00 00 58 ........... ...X
000001d6`d48300dc 02 00 00 0b 00 00 00 10-00 00 00 20 03 00 00 58 ........... ...X
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a41c:
00007ffa`4ef0859c 85f6 test esi,esi
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a41e:
00007ffa`4ef0859e 790d jns libpersona!Emf::EmfLoader::LoadDocument+0x3a42d (00007ffa`4ef085ad) [br=1]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a42d:
00007ffa`4ef085ad 7521 jne libpersona!Emf::EmfLoader::LoadDocument+0x3a450 (00007ffa`4ef085d0) [br=1]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a450:
00007ffa`4ef085d0 8d047515000000 lea eax,[rsi*2+15h]
0:032> r
rax=000000000000006c rbx=000001d9ab76e580 rcx=000001d9ab698ff0
rdx=00000020aa9ff4b8 rsi=0000000029000000 rdi=000001d6d4830000
rip=00007ffa4ef085d0 rsp=00000020aa9ff040 rbp=00000020aa9ff390
r8=0000000000000000 r9=0000000000000010 r10=000001d999ff4ff0
r11=000001d999ff4ff0 r12=000001d6d483006c r13=000001d6d4830000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x3a450:
00007ffa`4ef085d0 8d047515000000 lea eax,[rsi*2+15h] ;<-------------------- (5)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a457:
00007ffa`4ef085d7 83e0f8 and eax,0FFFFFFF8h
0:032> r
rax=0000000052000015 rbx=000001d9ab76e580 rcx=000001d9ab698ff0
rdx=00000020aa9ff4b8 rsi=0000000029000000 rdi=000001d6d4830000
rip=00007ffa4ef085d7 rsp=00000020aa9ff040 rbp=00000020aa9ff390
r8=0000000000000000 r9=0000000000000010 r10=000001d999ff4ff0
r11=000001d999ff4ff0 r12=000001d6d483006c r13=000001d6d4830000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x3a457:
00007ffa`4ef085d7 83e0f8 and eax,0FFFFFFF8h
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a45a:
00007ffa`4ef085da 8bf8 mov edi,eax
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a45c:
00007ffa`4ef085dc 8bc8 mov ecx,eax
0:032> p
rax=0000000052000010 rbx=000001d9ab76e580 rcx=0000000052000010
rdx=00000020aa9ff4b8 rsi=0000000029000000 rdi=0000000052000010
rip=00007ffa4ef085de rsp=00000020aa9ff040 rbp=00000020aa9ff390
r8=0000000000000000 r9=0000000000000010 r10=000001d999ff4ff0
r11=000001d999ff4ff0 r12=000001d6d483006c r13=000001d6d4830000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Emf::EmfLoader::LoadDocument+0x3a45e:
00007ffa`4ef085de e851eb890d call libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x2700b4 (00007ffa`5c7a7134) ;<------------------------- (6)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a463:
00007ffa`4ef085e3 488bd8 mov rbx,rax
0:032> r
rax=000001d9d5cf0ff0 rbx=000001d9ab76e580 rcx=000000007ffe0380
rdx=00000000000000d0 rsi=0000000029000000 rdi=0000000052000010
rip=00007ffa4ef085e3 rsp=00000020aa9ff040 rbp=00000020aa9ff390
r8=0000000000000000 r9=0000000052000010 r10=000001d9d5cf0ff0
r11=000001d9d5cf0ff0 r12=000001d6d483006c r13=000001d6d4830000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x3a463:
00007ffa`4ef085e3 488bd8 mov rbx,rax
0:032> db 000001d9d5cf0ff0 ;<------------------------- (7)
000001d9`d5cf0ff0 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
000001d9`d5cf1000 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
000001d9`d5cf1010 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
000001d9`d5cf1020 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
000001d9`d5cf1030 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
000001d9`d5cf1040 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
000001d9`d5cf1050 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
000001d9`d5cf1060 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a466:
00007ffa`4ef085e6 448930 mov dword ptr [rax],r14d ds:000001d9`d5cf0ff0=c0c0c0c0
At (4), offDescription is added to the pointer to the EMR_HEADER record to obtain the address of the source EmfDescription. At (5), nDescription is used to calculate the size of the EmfDescription, and malloc is called at (6) to allocate the destination EmfDescription buffer. The contents of the destination buffer are examined at (7).
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a469:
00007ffa`4ef085e9 8d47f2 lea eax,[rdi-0Eh]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a46c:
00007ffa`4ef085ec d1e8 shr eax,1
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a46e:
00007ffa`4ef085ee 894308 mov dword ptr [rbx+8],eax ds:000001d9`d5cf0ff8=c0c0c0c0
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a471:
00007ffa`4ef085f1 48895c2460 mov qword ptr [rsp+60h],rbx ss:00000020`aa9ff0a0=000001d9ab76e580
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a476:
00007ffa`4ef085f6 4c8beb mov r13,rbx
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a479:
00007ffa`4ef085f9 488beb mov rbp,rbx
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a47c:
00007ffa`4ef085fc 4c8bfb mov r15,rbx
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a47f:
00007ffa`4ef085ff 4c8bf3 mov r14,rbx
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a482:
00007ffa`4ef08602 4885db test rbx,rbx
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a485:
00007ffa`4ef08605 7403 je libpersona!Emf::EmfLoader::LoadDocument+0x3a48a (00007ffa`4ef0860a) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a487:
00007ffa`4ef08607 f0ff03 lock inc dword ptr [rbx] ds:000001d9`d5cf0ff0=00000000
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a48a:
00007ffa`4ef0860a 41897504 mov dword ptr [r13+4],esi ds:000001d9`d5cf0ff4=c0c0c0c0
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a48e:
00007ffa`4ef0860e 4863fe movsxd rdi,esi
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a491:
00007ffa`4ef08611 4c8d043f lea r8,[rdi+rdi] ;<------------------------- (8)
0:032> r
rax=0000000029000001 rbx=000001d9d5cf0ff0 rcx=000000007ffe0380
rdx=00000000000000d0 rsi=0000000029000000 rdi=0000000029000000
rip=00007ffa4ef08611 rsp=00000020aa9ff040 rbp=000001d9d5cf0ff0
r8=0000000000000000 r9=0000000052000010 r10=000001d9d5cf0ff0
r11=000001d9d5cf0ff0 r12=000001d6d483006c r13=000001d9d5cf0ff0
r14=000001d9d5cf0ff0 r15=000001d9d5cf0ff0
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Emf::EmfLoader::LoadDocument+0x3a491:
00007ffa`4ef08611 4c8d043f lea r8,[rdi+rdi]
0:032> p;r
rax=0000000029000001 rbx=000001d9d5cf0ff0 rcx=000000007ffe0380
rdx=00000000000000d0 rsi=0000000029000000 rdi=0000000029000000
rip=00007ffa4ef08615 rsp=00000020aa9ff040 rbp=000001d9d5cf0ff0
r8=0000000052000000 r9=0000000052000010 r10=000001d9d5cf0ff0
r11=000001d9d5cf0ff0 r12=000001d6d483006c r13=000001d9d5cf0ff0
r14=000001d9d5cf0ff0 r15=000001d9d5cf0ff0
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Emf::EmfLoader::LoadDocument+0x3a495:
00007ffa`4ef08615 498bd4 mov rdx,r12 ;<------------------------- (9)
0:032> p;r
rax=0000000029000001 rbx=000001d9d5cf0ff0 rcx=000000007ffe0380
rdx=000001d6d483006c rsi=0000000029000000 rdi=0000000029000000
rip=00007ffa4ef08618 rsp=00000020aa9ff040 rbp=000001d9d5cf0ff0
r8=0000000052000000 r9=0000000052000010 r10=000001d9d5cf0ff0
r11=000001d9d5cf0ff0 r12=000001d6d483006c r13=000001d9d5cf0ff0
r14=000001d9d5cf0ff0 r15=000001d9d5cf0ff0
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Emf::EmfLoader::LoadDocument+0x3a498:
00007ffa`4ef08618 498d4d0c lea rcx,[r13+0Ch] ;<------------------------- (10)
0:032> p;r
rax=0000000029000001 rbx=000001d9d5cf0ff0 rcx=000001d9d5cf0ffc
rdx=000001d6d483006c rsi=0000000029000000 rdi=0000000029000000
rip=00007ffa4ef0861c rsp=00000020aa9ff040 rbp=000001d9d5cf0ff0
r8=0000000052000000 r9=0000000052000010 r10=000001d9d5cf0ff0
r11=000001d9d5cf0ff0 r12=000001d6d483006c r13=000001d9d5cf0ff0
r14=000001d9d5cf0ff0 r15=000001d9d5cf0ff0
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Emf::EmfLoader::LoadDocument+0x3a49c:
00007ffa`4ef0861c e8c9138a0d call libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x27296a (00007ffa`5c7a99ea) ;<------------------------- (11)
0:032> db 000001d6d483006c
000001d6`d483006c 18 05 00 54 00 72 00 61-00 6e 00 73 00 66 00 6f ...T.r.a.n.s.f.o
000001d6`d483007c 00 72 00 6d 00 20 00 4f-00 70 00 65 00 72 00 61 .r.m. .O.p.e.r.a
000001d6`d483008c 00 74 00 69 00 6f 00 6e-00 73 00 20 00 45 00 4d .t.i.o.n.s. .E.M
000001d6`d483009c 00 46 00 00 00 54 00 72-00 61 00 6e 00 73 00 66 .F...T.r.a.n.s.f
000001d6`d48300ac 00 6f 00 72 00 6d 00 20-00 44 00 65 00 6d 00 6f .o.r.m. .D.e.m.o
000001d6`d48300bc 00 00 00 00 00 00 00 11-00 00 00 0c 00 00 00 08 ................
000001d6`d48300cc 00 00 00 09 00 00 00 10-00 00 00 20 03 00 00 58 ........... ...X
000001d6`d48300dc 02 00 00 0b 00 00 00 10-00 00 00 20 03 00 00 58 ........... ...X
At (11), memcpy is called to copy the EmfDescription from the EMR_HEADER to the destination EmfDescription buffer. The nDescription value at (8) is used to calculate the number of bytes to be copied from the source buffer at (9) to the destination buffer at (10). Because nDescription is arbitrarily larger than the record size, an out‑of‑bounds read occurs during this memcpy operation. This can be observed at the time of the crash.
0:032> g
(1318.1270): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
VCRUNTIME140!memcpy+0x326:
00007ffa`fa1e1506 c5fe6f8a80000000 vmovdqu ymm1,ymmword ptr [rdx+80h] ds:000001d6`d4830ff0=00
dq 000001d6`d4830ff0
000001d6`d4830ff0 00000000`00000000 00000000`00000000
000001d6`d4831000 ????????`???????? ????????`????????
000001d6`d4831010 ????????`???????? ????????`????????
000001d6`d4831020 ????????`???????? ????????`????????
000001d6`d4831030 ????????`???????? ????????`????????
000001d6`d4831040 ????????`???????? ????????`????????
000001d6`d4831050 ????????`???????? ????????`????????
000001d6`d4831060 ????????`???????? ????????`????????
0:032> u
VCRUNTIME140!memcpy+0x326 [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 442]:
00007ffa`fa1e1506 c5fe6f8a80000000 vmovdqu ymm1,ymmword ptr [rdx+80h]
00007ffa`fa1e150e c5fe6f92a0000000 vmovdqu ymm2,ymmword ptr [rdx+0A0h]
00007ffa`fa1e1516 c5fe6f9ac0000000 vmovdqu ymm3,ymmword ptr [rdx+0C0h]
00007ffa`fa1e151e c5fe6fa2e0000000 vmovdqu ymm4,ymmword ptr [rdx+0E0h]
00007ffa`fa1e1526 c5fde78980000000 vmovntdq ymmword ptr [rcx+80h],ymm1
00007ffa`fa1e152e c5fde791a0000000 vmovntdq ymmword ptr [rcx+0A0h],ymm2
00007ffa`fa1e1536 c5fde799c0000000 vmovntdq ymmword ptr [rcx+0C0h],ymm3
00007ffa`fa1e153e c5fde7a1e0000000 vmovntdq ymmword ptr [rcx+0E0h],ymm4
0:032> kb
# RetAddr : Args to Child : Call Site
00 00007ffa`4ef08621 : 000001d9`ab76e580 001fff0d`0000001f 000001d6`d4830000 00000000`00010000 : VCRUNTIME140!memcpy+0x326 [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 442]
01 00007ffa`4ef1ff01 : 000001d9`d5cf0ff0 00000020`aa9ff4b0 000001d6`d4830000 00000000`00000010 : libpersona!Emf::EmfLoader::LoadDocument+0x3a4a1
02 00007ffa`4ef1fe9c : 00000020`aa9ff390 00000000`00000000 00000000`0000000f 000021d8`00000004 : libpersona!Emf::EmfLoader::LoadDocument+0x51d81
03 00007ffa`faf0e73f : 00000000`00000000 000001d9`c3b34d20 000001d6`af810000 000001d6`af810000 : libpersona!Emf::EmfLoader::LoadDocument+0x51d1c
04 00007ffa`fc56d432 : 000001d9`83d36fd0 00000020`00000000 000001d9`83d36fd0 00000000`00000000 : gdi32full!bInternalPlayEMF+0x250bf
05 00007ffa`4ef215ce : 00000000`00000000 00000020`aa9ff3f0 00000020`aa9ff670 000001d9`c314af90 : GDI32!EnumEnhMetaFileStub+0x52
06 00007ffa`4eecdb56 : 00000020`aa9ff390 00000020`aa9ff320 00000000`00000000 00007ffa`fd881910 : libpersona!Emf::EmfLoader::LoadDocument+0x5344e
07 00007ffa`4eece041 : 000001d9`c314af90 000001d9`c3b34d20 000001d9`c314af90 00000020`aa9ff670 : libpersona!Emf::EmfLoader::LoadDocument+0x86
08 00007ffa`4eece2ab : 00000020`aa9ff708 000001d9`c314af90 00000020`aa9ff670 00000020`aa9ff720 : libpersona!Emf::EmfLoader::LoadDocument+0x101
09 00007ffa`4eece124 : 000001d9`a5d2e740 00000020`aa9ff708 00000020`aa9ff6d8 00000020`aa9ff751 : libpersona!Emf::EmfLoader::LoadDocument+0x12b
0a 00007ffa`4ec83a94 : 000001d9`c276cf90 000001d9`a5d2e740 00000020`aa9ff7b0 00000020`aa9ffa78 : libpersona!Emf::EmfLoader::LoadDocument+0x94
0b 00007ffa`4ec5088f : 000001d9`a5d2e740 00000000`00000000 00000000`00000000 00000000`ffffff00 : libpersona!DocumentController::TryLoadEMF+0xc4
0c 00007ffa`4ec4eacc : 00000000`00000000 000001d9`00000001 00000000`00000000 00000000`00000000 : libpersona!DocumentController::LoadDocumentI+0xfaf
0d 00007ffa`51283602 : 000001d9`bf18c690 00000000`00000000 000001d9`9c28ef70 00000000`00000000 : libpersona!DocumentController::LoadDocument+0x8c
0e 00007ffa`52a96cea : 000001d9`bf18c6c8 000001d9`b422ef00 00007ffa`af8c2800 00000000`00000000 : libpersona!LoadDocumentCommand::Do+0x252
0f 00007ffa`af2464cf : 00000000`00000000 000001d9`9c28ef70 00000000`00000000 000001d9`7d016fe0 : libpersona!PersonaController::StaticDoCommand+0x3a
10 00007ffa`af49f47f : 000001d6`98576fd0 00000000`00000481 00000000`00000000 000001d9`a8c3ef90 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0xb787f
11 00007ffa`fcc17374 : 00007ffa`af8c2800 00000000`00000000 00000000`00000000 00000000`00000000 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0x31082f
12 00007ffa`fd87cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
13 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:032> lmDvm libpersona
Browse full module list
start end module name
00007ffa`49180000 00007ffa`60abb000 libpersona (export symbols) C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Loaded symbol image file: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image path: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image name: libpersona.dll
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Nov 3 07:34:40 2025 (6908CB90)
CheckSum: 17822078
ImageSize: 1793B000
Mapping Form: Loaded
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.
See security bulletin on trust.canva.com with the vulnerability details and vulnerable versions. (URL to advisory: https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62)
2026-01-27 - Vendor Disclosure
2026-03-17 - Vendor Patch Release
2026-03-17 - Public Release
Discovered by KPC of Cisco Talos.