CVE-2025-64301
An out‑of‑bounds write vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out‑of‑bounds write, potentially leading to code execution.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Canva Affinity 3.0.1.3808
Affinity - https://www.affinity.studio/
7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 - Out-of-bounds Write
Affinity is a professional and versatile suite of creative applications designed for graphic design, photo editing, and desktop publishing. It provides a fast, streamlined experience with powerful tools to create illustrations, edit images, and design print or digital layouts. The suite is widely regarded as a capable and affordable alternative the software like Adobe Creative Cloud.
Affinity applications support the EMF file format, and this vulnerability is associated with how EMF files are processed.
An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:
Offset Size Name
------ ---- --------------------------------------
0x00 0x04 recordType (0x00000001 )
0x04 0x04 recordSize
0x08 0x10 bounds
0x18 0x10 frame
0x28 0x04 recordSignature (0x464D4520)
0x2C 0x04 version
0x30 0x04 sizeInBytes
0x34 0x04 numOfRecords
0x38 0x02 Handles
0x3A 0x02 Reserved
Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.
For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.
This vulnerability is associated with the record type EMR_CREATEDIBPATTERNBRUSHPT.
The EMR_CREATEDIBPATTERNBRUSHPT record defines a pattern brush for graphics operations. The structure of the EMR_CREATEDIBPATTERNBRUSHPT record is as follows:
Offset Size Name
----- ---------- --------------------------------------
0x00 0x04 recordType (0x0000005E )
0x04 0x04 recordSize
0x08 0x04 ihBrush
0x0C 0x04 Usage
0x10 0x04 offBmi (n)
0x14 0x04 cbBmi (p)
0x18 0x04 offBits
0x20 0x04 cbBits (q)
n p+q BitmapBuffer
For the EMR_CREATEDIBPATTERNBRUSHPT record, the recordType value must be 0x0000005E. The offBmi field indicates the offset from the start of this record to the DIB header, and the cbBmi field specifies the size of the DIB header. The offBits field indicates the offset from the start of this record to the DIB bits, and the cbBits field specifies the size of the DIB bits.
The first field in the DIB header is DIBHeaderInfo, which is a variable‑length field. The first 4 bytes of DIBHeaderInfo contain the HeaderSize value, which specifies the total size of the DIBHeaderInfo structure. The begining of the DIB header is as follows:
Offset Size Name
----- ---------- --------------------------------------
0x00 0x04 HeaderSize
0x04 0x04 Width
0x08 0x04 Height
0x0C 0x02 Planes
0x0E 0x02 BitCount
Please note that the structure of DIB header shown is not complete; it only includes the relevant fields.
The application calculates the size of the DIB header using the following equation:
CalculatedHeaderSize = (cbBits + offBits - offBmi) + (1 << BitCount)
The vulnerability occurs because the HeaderSize value is not validated. If the value of HeaderSize is greater than CalculatedHeaderSize, then an out‑of‑bounds write occurs when the DIBHeaderInfo data is copied to the destination buffer, whose size is limited to CalculatedHeaderSize. This behavior can be observed during debugging with pageheap enabled.
0:032> g
Breakpoint 1 hit
libpersona!Emf::EmfLoader::LoadDocument+0x44d17:
00007ffa`4ef12e97 e834e6ffff call libpersona!Emf::EmfLoader::LoadDocument+0x43350 (00007ffa`4ef114d0)
0:032> r
rax=0000761eaaafd16f rbx=000001d6d48305c4 rcx=00000020aa9ff390
rdx=000001d6d48305c4 rsi=000001d6d48305c4 rdi=00000020aa9ff2d0
rip=00007ffa4ef12e97 rsp=00000020aa9fef50 rbp=00000020aa9ff050
r8=000001d9ae1a8fd0 r9=0000000000000006 r10=00000000ffffffef
r11=00000020aa9fedf0 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=00000020aa9ff390 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
libpersona!Emf::EmfLoader::LoadDocument+0x44d17:
00007ffa`4ef12e97 e834e6ffff call libpersona!Emf::EmfLoader::LoadDocument+0x43350 (00007ffa`4ef114d0)
0:032> dd 000001d6d48305c4 ;<--------------------------------------- (1)
000001d6`d48305c4 0000005e 00000158 00000004 00000000
000001d6`d48305d4 00000024 0000002d 00000035 00000038
000001d6`d48305e4 00000039 05000039 00000037 00003930
000001d6`d48305f4 00005800 00010000 00000000 00002820
000001d6`d4830604 00000800 00000800 20000100 00000300
000001d6`d4830614 00010000 00000000 00000000 00000000
000001d6`d4830624 00000000 ff000000 00ff0000 0000ff00
000001d6`d4830634 00000000 00000000 00000000 00000000
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44d1c:
00007ffa`4ef12e9c 8b5610 mov edx,dword ptr [rsi+10h] ds:000001d6`d48305d4=00000024 ;<--------------------------------------- (2)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44d1f:
00007ffa`4ef12e9f 4803d6 add rdx,rsi ;<--------------------------------------- (3)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44d22:
00007ffa`4ef12ea2 448b4618 mov r8d,dword ptr [rsi+18h] ds:000001d6`d48305dc=00000035
0:032> r
rax=000001d97aff6fd0 rbx=000001d6d48305c4 rcx=000001d6af810000
rdx=000001d6d48305e8 rsi=000001d6d48305c4 rdi=00000020aa9ff2d0
rip=00007ffa4ef12ea2 rsp=00000020aa9fef50 rbp=00000020aa9ff050
r8=0000000000000001 r9=0000000000000001 r10=00000000ffffffef
r11=00000020aa9fee50 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=00000020aa9ff390 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x44d22:
00007ffa`4ef12ea2 448b4618 mov r8d,dword ptr [rsi+18h] ds:000001d6`d48305dc=00000035
0:032> dd 000001d6d48305e8 ;<--------------------------------------- (4)
000001d6`d48305e8 05000039 00000037 00003930 00005800
000001d6`d48305f8 00010000 00000000 00002820 00000800
000001d6`d4830608 00000800 20000100 00000300 00010000
000001d6`d4830618 00000000 00000000 00000000 00000000
000001d6`d4830628 ff000000 00ff0000 0000ff00 00000000
000001d6`d4830638 00000000 00000000 00000000 00000000
000001d6`d4830648 00000000 00000000 00000000 00000000
000001d6`d4830658 00000000 00000000 00000000 00000000
0:032> db 000001d6d48305e8
000001d6`d48305e8 39 00 00 05 37 00 00 00-30 39 00 00 00 58 00 00 9...7...09...X..
000001d6`d48305f8 00 00 01 00 00 00 00 00-20 28 00 00 00 08 00 00 ........ (......
000001d6`d4830608 00 08 00 00 00 01 00 20-00 03 00 00 00 00 01 00 ....... ........
000001d6`d4830618 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001d6`d4830628 00 00 00 ff 00 00 ff 00-00 ff 00 00 00 00 00 00 ................
000001d6`d4830638 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001d6`d4830648 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001d6`d4830658 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44d26:
00007ffa`4ef12ea6 4c03c6 add r8,rsi
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44d29:
00007ffa`4ef12ea9 448b4e1c mov r9d,dword ptr [rsi+1Ch] ds:000001d6`d48305e0=00000038
0:032> pc
libpersona!Emf::EmfLoader::LoadDocument+0x44d6b:
00007ffa`4ef12eeb e8e026a0ff call libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib (00007ffa`4e9155d0); <-------------- (5)
The contents of the EMR_CREATEDIBPATTERNBRUSHPT record are examined at (1). At (2), the offBmi value is read and added to the pointer at (3) to obtain the address pointing to the DIB header. The contents of the DIB header can be observed at (4). Here, the value of the HeaderSize field is 0x5000039.
0:032> t
libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib:
00007ffa`4e9155d0 48895c2418 mov qword ptr [rsp+18h],rbx ss:00000020`aa9fef60=000001d6d48305c4
0:032> bp 0007FFA4E915790
0:032> g
Breakpoint 2 hit
libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib+0x1c0:
00007ffa`4e915790 8b1f mov ebx,dword ptr [rdi] ds:000001d6`d48305e8=05000039;<--------------------- (6)
0:032> p
libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib+0x1c2:
00007ffa`4e915792 498b0f mov rcx,qword ptr [r15] ds:00000020`aa9fefb0=000001d9b04baf40
0:032> p
libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib+0x1c5:
00007ffa`4e915795 ff15d5f1dd0e call qword ptr [libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x11bd8f0 (00007ffa`5d6f4970)] ds:00007ffa`5d6f4970={libraster!Raster::CompressedRasterData::GetData (00007ffa`8f000c9d)} ;<---------------------------- (7)
0:032> p
libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib+0x1cb:
00007ffa`4e91579b 488d480e lea rcx,[rax+0Eh]
0:032> r
rax=000001d990e30fa0 rbx=0000000005000039 rcx=000001d9b04baf40
rdx=000000000001fb8a rsi=0000000000000000 rdi=000001d6d48305e8
rip=00007ffa4e91579b rsp=00000020aa9fed90 rbp=00000020aa9fee90
r8=0000000000000001 r9=0000000000000000 r10=000001d990e30fa0
r11=0000000000000246 r12=0000000000000049 r13=00000020aa9fefa8
r14=0000000000000000 r15=00000020aa9fefb0
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib+0x1cb:
00007ffa`4e91579b 488d480e lea rcx,[rax+0Eh]
0:032> db 000001d990e30fa0 <---------------------------- (8)
000001d9`90e30fa0 42 4d 57 00 00 00 00 00-00 00 00 00 00 00 c0 c0 BMW.............
000001d9`90e30fb0 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
000001d9`90e30fc0 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
000001d9`90e30fd0 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
000001d9`90e30fe0 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
000001d9`90e30ff0 c0 c0 c0 c0 c0 c0 c0 d0-d0 d0 d0 d0 d0 d0 d0 d0 ................
000001d9`90e31000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
000001d9`90e31010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:032> p
libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib+0x1cf:
00007ffa`4e91579f 448bc3 mov r8d,ebx
0:032> p
libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib+0x1d2:
00007ffa`4e9157a2 488bd7 mov rdx,rdi
0:032> p
libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib+0x1d5:
00007ffa`4e9157a5 e84042e90d call libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x27296a (00007ffa`5c7a99ea)
0:032> r
rax=000001d990e30fa0 rbx=0000000005000039 rcx=000001d990e30fae
rdx=000001d6d48305e8 rsi=0000000000000000 rdi=000001d6d48305e8
rip=00007ffa4e9157a5 rsp=00000020aa9fed90 rbp=00000020aa9fee90
r8=0000000005000039 r9=0000000000000000 r10=000001d990e30fa0
r11=0000000000000246 r12=0000000000000049 r13=00000020aa9fefa8
r14=0000000000000000 r15=00000020aa9fefb0
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib+0x1d5:
00007ffa`4e9157a5 e84042e90d call libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x27296a (00007ffa`5c7a99ea) ;<---------------------------- (9)
0:032> db rdx
000001d6`d48305e8 39 00 00 05 37 00 00 00-30 39 00 00 00 58 00 00 9...7...09...X..
000001d6`d48305f8 00 00 01 00 00 00 00 00-20 28 00 00 00 08 00 00 ........ (......
000001d6`d4830608 00 08 00 00 00 01 00 20-00 03 00 00 00 00 01 00 ....... ........
000001d6`d4830618 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001d6`d4830628 00 00 00 ff 00 00 ff 00-00 ff 00 00 00 00 00 00 ................
000001d6`d4830638 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001d6`d4830648 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001d6`d4830658 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
At (6), the HeaderSize field is read. The method called at (7) returns the destination buffer used to store DIBHeaderInfo, and the contents of this buffer can be observed at (8). The memcpy function is called at (9) to copy the DIBHeaderInfo into the destination buffer. The value of HeaderSize determines the number of bytes to be copied. However, because the destination buffer is smaller than HeaderSize, an out‑of‑bounds write occurs during the memcpy operation. This behavior can be observed at the time of the crash.
0:032> g
(1318.1270): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
VCRUNTIME140!memcpy+0x31c:
00007ffa`fa1e14fc c5fde75940 vmovntdq ymmword ptr [rcx+40h],ymm3 ds:000001d9`90e31000=??
0:032> dd 000001d9`90e31000
000001d9`90e31000 ???????? ???????? ???????? ????????
000001d9`90e31010 ???????? ???????? ???????? ????????
000001d9`90e31020 ???????? ???????? ???????? ????????
000001d9`90e31030 ???????? ???????? ???????? ????????
000001d9`90e31040 ???????? ???????? ???????? ????????
000001d9`90e31050 ???????? ???????? ???????? ????????
000001d9`90e31060 ???????? ???????? ???????? ????????
000001d9`90e31070 ???????? ???????? ???????? ????????
0:032> u
VCRUNTIME140!memcpy+0x31c [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 440]:
00007ffa`fa1e14fc c5fde75940 vmovntdq ymmword ptr [rcx+40h],ymm3
00007ffa`fa1e1501 c5fde76160 vmovntdq ymmword ptr [rcx+60h],ymm4
00007ffa`fa1e1506 c5fe6f8a80000000 vmovdqu ymm1,ymmword ptr [rdx+80h]
00007ffa`fa1e150e c5fe6f92a0000000 vmovdqu ymm2,ymmword ptr [rdx+0A0h]
00007ffa`fa1e1516 c5fe6f9ac0000000 vmovdqu ymm3,ymmword ptr [rdx+0C0h]
00007ffa`fa1e151e c5fe6fa2e0000000 vmovdqu ymm4,ymmword ptr [rdx+0E0h]
00007ffa`fa1e1526 c5fde78980000000 vmovntdq ymmword ptr [rcx+80h],ymm1
00007ffa`fa1e152e c5fde791a0000000 vmovntdq ymmword ptr [rcx+0A0h],ymm2
0:032> kb
# RetAddr : Args to Child : Call Site
00 00007ffa`4e9157aa : 00000000`00000000 00000000`00000000 00007ffa`9302c000 00000000`00000000 : VCRUNTIME140!memcpy+0x31c [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 440]
01 00007ffa`4ef12ef0 : 000001d9`8b794fd0 000001d6`d48305c4 000001d6`d48305c4 000001d9`8b794fd0 : libpersona!Dib::RasterHelper::CreateDynamicBitmapFromDib+0x1da
02 00007ffa`4ef20fcf : 000001d9`96d78fd0 000001d9`ab172d20 000001d6`d48305c4 00000020`aa9ff1f1 : libpersona!Emf::EmfLoader::LoadDocument+0x44d70
03 00007ffa`4ef1fe9c : 00000020`aa9ff390 00000000`000005c4 00000000`0000000f 000021d8`00000004 : libpersona!Emf::EmfLoader::LoadDocument+0x52e4f
04 00007ffa`faf0e73f : 00000000`000005c4 000001d9`ab172d20 000001d6`af810000 000001d6`af810000 : libpersona!Emf::EmfLoader::LoadDocument+0x51d1c
05 00007ffa`fc56d432 : 000001d9`96d78fd0 00000020`00000000 000001d9`96d78fd0 00000000`00000000 : gdi32full!bInternalPlayEMF+0x250bf
06 00007ffa`4ef215ce : 00000000`00000000 00000020`aa9ff3f0 00000020`aa9ff670 000001d9`baf50f90 : GDI32!EnumEnhMetaFileStub+0x52
07 00007ffa`4eecdb56 : 00000020`aa9ff390 00000020`aa9ff320 00000000`00000000 00007ffa`fd881910 : libpersona!Emf::EmfLoader::LoadDocument+0x5344e
08 00007ffa`4eece041 : 000001d9`baf50f90 000001d9`ab172d20 000001d9`baf50f90 00000020`aa9ff670 : libpersona!Emf::EmfLoader::LoadDocument+0x86
09 00007ffa`4eece2ab : 00000020`aa9ff708 000001d9`baf50f90 00000020`aa9ff670 00000020`aa9ff720 : libpersona!Emf::EmfLoader::LoadDocument+0x101
0a 00007ffa`4eece124 : 000001d9`91399740 00000020`aa9ff708 00000020`aa9ff6d8 00000020`aa9ff751 : libpersona!Emf::EmfLoader::LoadDocument+0x12b
0b 00007ffa`4ec83a94 : 000001d9`b580ef90 000001d9`91399740 00000020`aa9ff7b0 00000020`aa9ffa78 : libpersona!Emf::EmfLoader::LoadDocument+0x94
0c 00007ffa`4ec5088f : 000001d9`91399740 00000000`00000000 00000000`00000000 00000000`ffffff00 : libpersona!DocumentController::TryLoadEMF+0xc4
0d 00007ffa`4ec4eacc : 00000000`00000000 000001d9`00000001 00000000`00000000 00000000`00000000 : libpersona!DocumentController::LoadDocumentI+0xfaf
0e 00007ffa`51283602 : 000001d9`b025e690 00000000`00000000 000001d9`94db0f70 00000000`00000000 : libpersona!DocumentController::LoadDocument+0x8c
0f 00007ffa`52a96cea : 000001d9`b025e6c8 000001d9`9c662f00 00007ffa`af8c2800 00000000`00000000 : libpersona!LoadDocumentCommand::Do+0x252
10 00007ffa`af2464cf : 00000000`00000000 000001d9`94db0f70 00000000`00000000 000001d9`85986fe0 : libpersona!PersonaController::StaticDoCommand+0x3a
11 00007ffa`af49f47f : 000001d9`8b4b0fd0 00000000`00000481 00000000`00000000 000001d9`a8c3ef90 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0xb787f
12 00007ffa`fcc17374 : 00007ffa`af8c2800 00000000`00000000 00000000`00000000 00000000`00000000 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0x31082f
13 00007ffa`fd87cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
14 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:032> lmDvm libpersona
Browse full module list
start end module name
00007ffa`49180000 00007ffa`60abb000 libpersona (export symbols) C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Loaded symbol image file: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image path: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image name: libpersona.dll
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Nov 3 07:34:40 2025 (6908CB90)
CheckSum: 17822078
ImageSize: 1793B000
Mapping Form: Loaded
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Exploiting this vulnerability allows writing to arbitrary memory within the process, which could potentially lead to code execution.
See security bulletin on trust.canva.com with the vulnerability details and vulnerable versions. (URL to advisory: https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62)
2026-01-27 - Vendor Disclosure
2026-03-17 - Vendor Patch Release
2026-03-17 - Public Release
Discovered by KPC of Cisco Talos.