CVE-2025-61979
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Canva Affinity 3.0.1.3808
Affinity - https://www.affinity.studio/
6.1 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
CWE-125 - Out-of-bounds Read
Affinity is a professional and versatile suite of creative applications designed for graphic design, photo editing, and desktop publishing. It provides a fast, streamlined experience with powerful tools to create illustrations, edit images, and design print or digital layouts. The suite is widely regarded as a capable and affordable alternative the software like Adobe Creative Cloud.
Affinity applications support the EMF file format, and this vulnerability is associated with how EMF files are processed.
An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:
Offset Size Name
------ ---- --------------------------------------
0x00 0x04 recordType (0x00000001 )
0x04 0x04 recordSize
0x08 0x10 bounds
0x18 0x10 frame
0x28 0x04 recordSignature (0x464D4520)
0x2C 0x04 version
0x30 0x04 sizeInBytes
0x34 0x04 numOfRecords
0x38 0x02 Handles
0x3A 0x02 Reserved
0x3C 0x04 nDescription
0x40 0x04 offDescription
0x44 0x04 PalEntries
Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.
For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.
The nDescription and offDescription fields define the EmfDescription. EmfDescription is a null‑terminated Unicode string of arbitrary length. The nDescription field specifies the number of characters in the EmfDescription, and the offDescription field specifies the offset from the beginning of the EMR_HEADER record to the array that contains the EmfDescription.
This vulnerability occurs because the value of offDescription is not validated. If (offDescription + nDescription) is greater than the recordSize field, then an out‑of‑bounds read occurs when accessing the EmfDescription. This behavior can be observed while debugging with pageheap enabled.
0:039> g
(1318.2054): Unknown exception - code 000006ba (first chance)
(1318.2054): Unknown exception - code 000006ba (first chance)
Breakpoint 0 hit
libpersona!Emf::EmfLoader::LoadDocument+0x3a3fa:
00007ffa`4ef0857a 8b4740 mov eax,dword ptr [rdi+40h] ds:000001d6`d4830040=00001000
0:032> r
rax=00000020aa9ff4b0 rbx=000001d98de22580 rcx=000001d9ad5bcff0
rdx=00000020aa9ff4b8 rsi=000001d98ead9d20 rdi=000001d6d4830000
rip=00007ffa4ef0857a rsp=00000020aa9ff040 rbp=00000020aa9ff390
r8=0000000000000000 r9=0000000000000010 r10=000001d9ba498ff0
r11=0000000000000246 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x3a3fa:
00007ffa`4ef0857a 8b4740 mov eax,dword ptr [rdi+40h] ds:000001d6`d4830040=00001000 ;<------------- (1)
:032> db 000001d6`d4830000 ;<-------------------------------- (2)
000001d6`d4830000 01 00 00 00 c0 00 00 00-64 00 00 00 64 00 00 00 ........d...d...
000001d6`d4830010 1e 02 00 00 77 02 00 00-00 00 00 00 00 00 00 00 ....w...........
000001d6`d4830020 20 03 00 00 58 02 00 00-20 45 4d 46 00 00 01 00 ...X... EMF....
000001d6`d4830030 64 02 00 00 15 00 00 00-02 fb ee 28 29 00 00 00 d..........()...
000001d6`d4830040 00 10 00 00 00 00 00 00-00 00 00 00 0a 00 00 38 ...............8
000001d6`d4830050 04 00 00 1e 03 00 00 4e-01 00 00 00 00 00 00 00 .......N........
000001d6`d4830060 00 00 00 00 00 00 00 30-2d 0c 00 b0 18 05 00 54 .......0-......T
000001d6`d4830070 00 72 00 61 00 6e 00 73-00 66 00 6f 00 72 00 6d .r.a.n.s.f.o.r.m
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a3fd:
00007ffa`4ef0857d 85c0 test eax,eax
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a3ff:
00007ffa`4ef0857f 0f841c010000 je libpersona!Emf::EmfLoader::LoadDocument+0x3a521 (00007ffa`4ef086a1) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a405:
00007ffa`4ef08585 8b773c mov esi,dword ptr [rdi+3Ch] ds:000001d6`d483003c=00000029
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a408:
00007ffa`4ef08588 85f6 test esi,esi
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a40a:
00007ffa`4ef0858a 0f8411010000 je libpersona!Emf::EmfLoader::LoadDocument+0x3a521 (00007ffa`4ef086a1) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a410:
00007ffa`4ef08590 448be0 mov r12d,eax
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x3a413:
00007ffa`4ef08593 4c03e7 add r12,rdi
0:032> r
rax=0000000000001000 rbx=000001d98de22580 rcx=000001d9ad5bcff0
rdx=00000020aa9ff4b8 rsi=0000000000000029 rdi=000001d6d4830000
rip=00007ffa4ef08593 rsp=00000020aa9ff040 rbp=00000020aa9ff390
r8=0000000000000000 r9=0000000000000010 r10=000001d9ba498ff0
r11=0000000000000246 r12=0000000000001000 r13=000001d6d4830000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Emf::EmfLoader::LoadDocument+0x3a413:
00007ffa`4ef08593 4c03e7 add r12,rdi ;<----------------------------------- (3)
0:032> p;r
rax=0000000000001000 rbx=000001d98de22580 rcx=000001d9ad5bcff0
rdx=00000020aa9ff4b8 rsi=0000000000000029 rdi=000001d6d4830000
rip=00007ffa4ef08596 rsp=00000020aa9ff040 rbp=00000020aa9ff390
r8=0000000000000000 r9=0000000000000010 r10=000001d9ba498ff0
r11=0000000000000246 r12=000001d6d4831000 r13=000001d6d4830000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x3a416:
00007ffa`4ef08596 0f8405010000 je libpersona!Emf::EmfLoader::LoadDocument+0x3a521 (00007ffa`4ef086a1) [br=0]
0:032> db 000001d6d4831000 ;<----------------------------------- (4)
000001d6`d4831000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
At (1), offDescription is read and stored in the eax register. The contents of the EMR_HEADER record are examined at (2). Note that the size of the EMR_HEADER record is 0xC0. At (3), offDescription is added to the pointer to the EMR_HEADER record to obtain the address of the source EmfDescription. However, because offDescription is greater than the size of the EMR_HEADER, the resulting address points to an unallocated memory region, as shown at (4). Accessing this memory region later in the program leads to an out‑of‑bounds read. This can be observed at the time of the crash.
(1318.1270): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
VCRUNTIME140!memcpy+0x17d:
00007ffa`fa1e135d c5fe6f02 vmovdqu ymm0,ymmword ptr [rdx] ds:000001d6`d4831000=??
0:032> db 000001d6`d4831000
000001d6`d4831000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d6`d4831070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:032> u
VCRUNTIME140!memcpy+0x17d [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 304]:
00007ffa`fa1e135d c5fe6f02 vmovdqu ymm0,ymmword ptr [rdx]
00007ffa`fa1e1361 c4a17e6f6c02e0 vmovdqu ymm5,ymmword ptr [rdx+r8-20h]
00007ffa`fa1e1368 4981f800010000 cmp r8,100h
00007ffa`fa1e136f 0f86c3000000 jbe VCRUNTIME140!memcpy+0x258 (00007ffa`fa1e1438)
00007ffa`fa1e1375 4c8bc9 mov r9,rcx
00007ffa`fa1e1378 4983e11f and r9,1Fh
00007ffa`fa1e137c 4983e920 sub r9,20h
00007ffa`fa1e1380 492bc9 sub rcx,r9
0:032> kb
# RetAddr : Args to Child : Call Site
00 00007ffa`4ef08621 : 000001d9`8de22580 001fff0d`0000001f 000001d6`d4830000 00000000`00010000 : VCRUNTIME140!memcpy+0x17d [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 304]
01 00007ffa`4ef1ff01 : 000001d9`bfe98fa0 00000020`aa9ff4b0 000001d6`d4830000 00000000`00000010 : libpersona!Emf::EmfLoader::LoadDocument+0x3a4a1
02 00007ffa`4ef1fe9c : 00000020`aa9ff390 00000000`00000000 00000000`0000000f 000021d8`00000004 : libpersona!Emf::EmfLoader::LoadDocument+0x51d81
03 00007ffa`faf0e73f : 00000000`00000000 000001d9`8ead9d20 000001d6`af810000 000001d6`af810000 : libpersona!Emf::EmfLoader::LoadDocument+0x51d1c
04 00007ffa`fc56d432 : 000001d9`b337cfd0 00000020`00000000 000001d9`b337cfd0 00000000`00000000 : gdi32full!bInternalPlayEMF+0x250bf
05 00007ffa`4ef215ce : 00000000`00000000 00000020`aa9ff3f0 00000020`aa9ff670 000001d9`85c12f90 : GDI32!EnumEnhMetaFileStub+0x52
06 00007ffa`4eecdb56 : 00000020`aa9ff390 00000020`aa9ff320 00000000`00000000 00007ffa`fd881910 : libpersona!Emf::EmfLoader::LoadDocument+0x5344e
07 00007ffa`4eece041 : 000001d9`85c12f90 000001d9`8ead9d20 000001d9`85c12f90 00000020`aa9ff670 : libpersona!Emf::EmfLoader::LoadDocument+0x86
08 00007ffa`4eece2ab : 00000020`aa9ff708 000001d9`85c12f90 00000020`aa9ff670 00000020`aa9ff720 : libpersona!Emf::EmfLoader::LoadDocument+0x101
09 00007ffa`4eece124 : 000001d9`c2ba7740 00000020`aa9ff708 00000020`aa9ff6d8 00000020`aa9ff751 : libpersona!Emf::EmfLoader::LoadDocument+0x12b
0a 00007ffa`4ec83a94 : 000001d9`c3a00f90 000001d9`c2ba7740 00000020`aa9ff7b0 00000020`aa9ffa78 : libpersona!Emf::EmfLoader::LoadDocument+0x94
0b 00007ffa`4ec5088f : 000001d9`c2ba7740 00000000`00000000 00000000`00000000 00000000`ffffff00 : libpersona!DocumentController::TryLoadEMF+0xc4
0c 00007ffa`4ec4eacc : 00000000`00000000 000001d9`00000001 00000000`00000000 00000000`00000000 : libpersona!DocumentController::LoadDocumentI+0xfaf
0d 00007ffa`51283602 : 000001d9`bdf2e690 00000000`00000000 000001d9`aa108f70 00000000`00000000 : libpersona!DocumentController::LoadDocument+0x8c
0e 00007ffa`52a96cea : 000001d9`bdf2e6c8 000001d9`b5072f00 00007ffa`af8c2800 00000000`00000000 : libpersona!LoadDocumentCommand::Do+0x252
0f 00007ffa`af2464cf : 00000000`00000000 000001d9`aa108f70 00000000`00000000 000001d9`bf97efe0 : libpersona!PersonaController::StaticDoCommand+0x3a
10 00007ffa`af49f47f : 000001d9`c39cafd0 00000000`00000481 00000000`00000000 000001d9`a8c3ef90 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0xb787f
11 00007ffa`fcc17374 : 00007ffa`af8c2800 00000000`00000000 00000000`00000000 00000000`00000000 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0x31082f
12 00007ffa`fd87cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
13 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:032> lmDvm libpersona
Browse full module list
start end module name
00007ffa`49180000 00007ffa`60abb000 libpersona (export symbols) C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Loaded symbol image file: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image path: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image name: libpersona.dll
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Nov 3 07:34:40 2025 (6908CB90)
CheckSum: 17822078
ImageSize: 1793B000
Mapping Form: Loaded
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.
See security bulletin on trust.canva.com with the vulnerability details and vulnerable versions. (URL to advisory: https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62)
2026-01-27 - Vendor Disclosure
2026-03-17 - Vendor Patch Release
2026-03-17 - Public Release
Discovered by KPC of Cisco Talos.