Talos Vulnerability Report

TALOS-2025-2301

Canva Affinity EMF File EMR_POLYDRAW Count Out-Of-Bounds Read Vulnerability

March 17, 2026

CVE Number

CVE-2025-66000

SUMMARY

An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Canva Affinity 3.0.1.3808

PRODUCT URLS

Affinity - https://www.affinity.studio/

CVSSv3 SCORE

6.1 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L

CWE

CWE-125 - Out-of-bounds Read

DETAILS

Affinity is a professional and versatile suite of creative applications designed for graphic design, photo editing, and desktop publishing. It provides a fast, streamlined experience with powerful tools to create illustrations, edit images, and design print or digital layouts. The suite is widely regarded as a capable and affordable alternative the software like Adobe Creative Cloud.

Affinity applications support the EMF file format, and this vulnerability is associated with how EMF files are processed.

An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:

Offset      Size      Name
------      ---- --------------------------------------
0x00        0x04            recordType  (0x00000001 )
0x04        0x04            recordSize
0x08        0x10            bounds
0x18        0x10            frame
0x28        0x04            recordSignature (0x464D4520)
0x2C        0x04            version
0x30        0x04            sizeInBytes
0x34        0x04            numOfRecords
0x38        0x02            Handles
0x3A        0x02            Reserved

Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.

For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.

This vulnerability is associated with the record type EMR_POLYDRAW.

The EMR_POLYDRAW record specifies a series of connected line segments. Its structure is defined as follows:

Offset     Size      Name
-----   ---------- --------------------------------------
0x00         0x04        recordType  (0x00000038 )
0x04         0x04        recordSize
0x08         0x10        Bounds
0x18         0x04        Count (n)
0x1C         0x08*n      aPoints
0x1C+(8*n)   n           abTypes

For the EMR_POLYDRAW record, the recordType value must be 0x00000038. The Count field indicates the number of points contained in the aPoints array, where each point occupies 8 bytes. The abTypes field is also an array, and its length matches the value of Count.

This vulnerability occurs because the value of Count is not validated. If (0x1C+(8*n)+n ) is greater than the recordSize field, then an out‑of‑bounds read occurs when accessing the aPoints or abTypes arrays. This behavior can be observed while debugging with pageheap enabled.

:032> g
Breakpoint 1 hit
libpersona!Emf::EmfLoader::LoadDocument+0x49085:
00007ffa`4ef17205 448b4e18        mov     r9d,dword ptr [rsi+18h] ds:000001d6`d48300c4=00000222
0:032> r
rax=0000000000000000 rbx=000001d6d48300ac rcx=00000020aa9ff390
rdx=00007ffa4ef11506 rsi=000001d6d48300ac rdi=00000020aa9ff2d0
rip=00007ffa4ef17205 rsp=00000020aa9ff000 rbp=00000020aa9ff1f1
 r8=00007ffa49180000  r9=0000000000000001 r10=00000000ffffffef
r11=00000020aa9fefa0 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=00000020aa9ff390 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x49085:
00007ffa`4ef17205 448b4e18        mov     r9d,dword ptr [rsi+18h] ds:000001d6`d48300c4=00000222 ;<----------------------- (1)
0:032> dd 000001d6d48300ac  ;<------------------------------------- (2)
000001d6`d48300ac  00000038 0000005c 00000064 00000064
000001d6`d48300bc  0000c350 0000012c 00000222 00000064
000001d6`d48300cc  00000064 000000c8 000000c8 0000012c
000001d6`d48300dc  0000012c 0000c350 000000c8 000001f4
000001d6`d48300ec  00000064 00000258 000000c8 000002bc
000001d6`d48300fc  0000012c 04020206 00020404 0000000e
000001d6`d483010c  00000014 00000000 00000010 00000014
000001d6`d483011c  00000000 00000000 00000000 00000000
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x49089:
00007ffa`4ef17209 488d5e24        lea     rbx,[rsi+24h]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4908d:
00007ffa`4ef1720d 33ff            xor     edi,edi
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4908f:
00007ffa`4ef1720f 418d41ff        lea     eax,[r9-1]
0:032> p;r
rax=0000000000000221 rbx=000001d6d48300d0 rcx=00000020aa9ff390
rdx=00007ffa4ef11506 rsi=000001d6d48300ac rdi=0000000000000000
rip=00007ffa4ef17213 rsp=00000020aa9ff000 rbp=00000020aa9ff1f1
 r8=00007ffa49180000  r9=0000000000000222 r10=00000000ffffffef
r11=00000020aa9fefa0 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=00000020aa9ff390 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
libpersona!Emf::EmfLoader::LoadDocument+0x49093:
00007ffa`4ef17213 488d1cc3        lea     rbx,[rbx+rax*8] ; <------------------------------------- (3)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x49097:
00007ffa`4ef17217 4585c9          test    r9d,r9d
0:032> r
rax=0000000000000221 rbx=000001d6d48311d8 rcx=00000020aa9ff390
rdx=00007ffa4ef11506 rsi=000001d6d48300ac rdi=0000000000000000
rip=00007ffa4ef17217 rsp=00000020aa9ff000 rbp=00000020aa9ff1f1
 r8=00007ffa49180000  r9=0000000000000222 r10=00000000ffffffef
r11=00000020aa9fefa0 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=00000020aa9ff390 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
libpersona!Emf::EmfLoader::LoadDocument+0x49097:
00007ffa`4ef17217 4585c9          test    r9d,r9d
0:032> db 000001d6d48311d8                                   ; <------------------------------------- (4)
000001d6`d48311d8  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d48311e8  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d48311f8  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d4831208  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d4831218  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d4831228  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d4831238  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d4831248  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4909a:
00007ffa`4ef1721a 0f84f0010000    je      libpersona!Emf::EmfLoader::LoadDocument+0x49290 (00007ffa`4ef17410) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x490a0:
00007ffa`4ef17220 4889ac24a0000000 mov     qword ptr [rsp+0A0h],rbp ss:00000020`aa9ff0a0=000001d9b08ccfb0

The EMR_POLYDRAW record is examined at (2). At (1), the Count value is read and then added to the pointer shown at (3) to calculate the address of the abTypes array. Because the Count value is not validated before this access, an unexpectedly large Count can cause the computed address to fall outside the intended memory region, as illustrated at (4). When the program later attempts to read from this invalid location, an out‑of‑bounds read occurs, which becomes evident at the time of the crash.

:032> g
(1318.1270): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
libpersona!Emf::EmfLoader::LoadDocument+0x490e0:
00007ffa`4ef17260 0fb603          movzx   eax,byte ptr [rbx] ds:000001d6`d48311d8=??

0:032> db rbx
000001d6`d48311d8  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d48311e8  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d48311f8  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d4831208  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d4831218  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d4831228  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d4831238  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001d6`d4831248  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

0:032> u
libpersona!Emf::EmfLoader::LoadDocument+0x490e0:
00007ffa`4ef17260 0fb603          movzx   eax,byte ptr [rbx]
00007ffa`4ef17263 83c0fe          add     eax,0FFFFFFFEh
00007ffa`4ef17266 83f805          cmp     eax,5
00007ffa`4ef17269 0f8777010000    ja      libpersona!Emf::EmfLoader::LoadDocument+0x49266 (00007ffa`4ef173e6)
00007ffa`4ef1726f 4898            cdqe
00007ffa`4ef17271 418b8c801c74d905 mov     ecx,dword ptr [r8+rax*4+5D9741Ch]
00007ffa`4ef17279 4903c8          add     rcx,r8
00007ffa`4ef1727c ffe1            jmp     rcx

0:032> kb
 # RetAddr               : Args to Child                                                           : Call Site
00 00007ffa`4ef208f7     : 00000020`aa9ff1f1 000001d6`d48300cc 00007ffa`4ef1fe80 000001d6`d4830000 : libpersona!Emf::EmfLoader::LoadDocument+0x490e0
01 00007ffa`4ef1fe9c     : 00000020`aa9ff390 00000000`000000ac 00000000`0000000f 000021d8`00000004 : libpersona!Emf::EmfLoader::LoadDocument+0x52777
02 00007ffa`faf0e73f     : 00000000`000000ac 000001d9`88eeed20 000001d6`af810000 000001d6`af810000 : libpersona!Emf::EmfLoader::LoadDocument+0x51d1c
03 00007ffa`fc56d432     : 000001d9`c171afd0 00000020`00000000 000001d9`c171afd0 00000000`00000000 : gdi32full!bInternalPlayEMF+0x250bf
04 00007ffa`4ef215ce     : 00000000`00000000 00000020`aa9ff3f0 00000020`aa9ff670 000001d9`bcdf8f90 : GDI32!EnumEnhMetaFile+0x52
05 00007ffa`4eecdb56     : 00000020`aa9ff390 00000020`aa9ff320 00000000`00000000 00007ffa`fd881910 : libpersona!Emf::EmfLoader::LoadDocument+0x5344e
06 00007ffa`4eece041     : 000001d9`bcdf8f90 000001d9`88eeed20 000001d9`bcdf8f90 00000020`aa9ff670 : libpersona!Emf::EmfLoader::LoadDocument+0x86
07 00007ffa`4eece2ab     : 00000020`aa9ff708 000001d9`bcdf8f90 00000020`aa9ff670 00000020`aa9ff720 : libpersona!Emf::EmfLoader::LoadDocument+0x101
08 00007ffa`4eece124     : 000001d9`95988740 00000020`aa9ff708 00000020`aa9ff6d8 00000020`aa9ff751 : libpersona!Emf::EmfLoader::LoadDocument+0x12b
09 00007ffa`4ec83a94     : 000001d9`bb850fb0 000001d9`95988740 00000020`aa9ff7b0 00000020`aa9ffa78 : libpersona!Emf::EmfLoader::LoadDocument+0x94
0a 00007ffa`4ec5088f     : 000001d9`95988740 00000000`00000000 00000000`00000000 00000000`ffffff00 : libpersona!DocumentController::TryLoadEMF+0xc4
0b 00007ffa`4ec4eacc     : 00000000`00000000 000001d9`00000001 00000000`00000000 00000000`00000000 : libpersona!DocumentController::LoadDocumentI+0xfaf
0c 00007ffa`51283602     : 000001d9`8dcd0690 00000000`00000000 000001d9`bcf52f70 00000000`00000000 : libpersona!DocumentController::LoadDocument+0x8c
0d 00007ffa`52a96cea     : 000001d9`8dcd06c8 000001d9`88bf0f00 00007ffa`af8c2800 00000000`00000000 : libpersona!LoadDocumentCommand::Do+0x252
0e 00007ffa`af2464cf     : 00000000`00000000 000001d9`bcf52f70 00000000`00000000 000001d9`b4a08fe0 : libpersona!PersonaController::StaticDoCommand+0x3a
0f 00007ffa`af49f47f     : 000001d9`b4210fd0 00000000`00000481 00000000`00000000 000001d9`a8c3ef90 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0xb787f
10 00007ffa`fcc17374     : 00007ffa`af8c2800 00000000`00000000 00000000`00000000 00000000`00000000 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0x31082f
11 00007ffa`fd87cc91     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
12 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

0:032> lmDvmlibpersona
Browse full module list
start             end                 module name
00007ffa`49180000 00007ffa`60abb000   libpersona   (export symbols)       C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
    Loaded symbol image file: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
    Image path: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
    Image name: libpersona.dll
    Browse all global symbols  functions  data  Symbol Reload
    Timestamp:        Mon Nov  3 07:34:40 2025 (6908CB90)
    CheckSum:         17822078
    ImageSize:        1793B000
    Mapping Form:     Loaded
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:

Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.

VENDOR RESPONSE

See security bulletin on trust.canva.com with the vulnerability details and vulnerable versions. (URL to advisory: https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62)

TIMELINE

2026-01-27 - Vendor Disclosure
2026-03-17 - Vendor Patch Release
2026-03-17 - Public Release

Credit

Discovered by KPC of Cisco Talos.

TALOS-2025-2311

TALOS-2025-2310

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company