CVE-2025-64776
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Canva Affinity 3.0.1.3808
Affinity - https://www.affinity.studio/
6.1 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
CWE-125 - Out-of-bounds Read
Affinity is a professional and versatile suite of creative applications designed for graphic design, photo editing, and desktop publishing. It provides a fast, streamlined experience with powerful tools to create illustrations, edit images, and design print or digital layouts. The suite is widely regarded as a capable and affordable alternative the software like Adobe Creative Cloud.
Affinity applications support the EMF file format, and this vulnerability is associated with how EMF files are processed.
An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:
Offset Size Name
------ ---- --------------------------------------
0x00 0x04 recordType (0x00000001 )
0x04 0x04 recordSize
0x08 0x10 bounds
0x18 0x10 frame
0x28 0x04 recordSignature (0x464D4520)
0x2C 0x04 version
0x30 0x04 sizeInBytes
0x34 0x04 numOfRecords
0x38 0x02 Handles
0x3A 0x02 Reserved
Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.
For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.
This vulnerability is associated with the record type EMR_BITBLT.
The EMR_BITBLT record defines a block transfer of pixels from a source bitmap to a destination rectangle. Its structure is defined as follows:
Offset Size Name
----- ---------- --------------------------------------
0x00 0x04 recordType (0x0000004C )
0x04 0x04 recordSize
0x08 0x10 Bounds
0x18 0x04 xDest
0x1C 0x04 yDest
0x20 0x04 cxDest
0x24 0x04 cyDest
0x28 0x04 BitBltRasterOperation
0x2C 0x04 xSrc
0x30 0x04 ySrc
0x34 0x18 XformSrc
0x4c 0x04 BkColorSrc
0x50 0x04 UsageSrc
0x54 0x04 offBmiSrc (n)
0x58 0x04 cbBmiSrc (p)
0x5C 0x04 offBitsSrc
0x60 0x04 cbBitsSrc (q)
n p+q BitmapBuffer
For the EMR_BITBLT record, the recordType value must be 0x0000004C. The offBmiSrc field specifies the offset from the start of the record to the source bitmap header within the BitmapBuffer field.
This vulnerability occurs when the value of offBmiSrc is greater than the recordSize field, which can result in an out‑of‑bounds read when the source bitmap header is accessed. This behavior can be observed while debugging with pageheap enabled.
0:042> g
Breakpoint 0 hit
libpersona!Emf::EmfLoader::LoadDocument+0x44078:
00007ffa`4ef121f8 488bf2 mov rsi,rdx
0:032> r
rax=00000020aa9ff098 rbx=000001d6d4830258 rcx=00000020aa9ff390
rdx=000001d6d4830258 rsi=000001d98c838d20 rdi=00000020aa9ff2d0
rip=00007ffa4ef121f8 rsp=00000020aa9feec0 rbp=00000020aa9fefc0
r8=000001d98fb6af30 r9=0000000000000019 r10=0000000000000000
r11=00000020aa9ff020 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=0000000000000001 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x44078:
00007ffa`4ef121f8 488bf2 mov rsi,rdx
0:032> dd 000001d6d4830258 ;<----------------------------------------- (1)
000001d6`d4830258 0000004c 00002ad8 00000000 fffffffe
000001d6`d4830268 00000001 ffffffff 0000000a 0000000a
000001d6`d4830278 00000032 00000032 00cc0020 00000000
000001d6`d4830288 00000000 3f800000 00000000 00000000
000001d6`d4830298 3f800000 00000000 00000000 00ffffff
000001d6`d48302a8 00000000 00010000 00000033 00000037
000001d6`d48302b8 00000035 00000031 00009800 002a4000
000001d6`d48302c8 00002800 00003400 00003400 20000100
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4407b:
00007ffa`4ef121fb 4c8bf1 mov r14,rcx
0:032> g
Breakpoint 1 hit
libpersona!Emf::EmfLoader::LoadDocument+0x4424f:
00007ffa`4ef123cf 8b4654 mov eax,dword ptr [rsi+54h] ds:000001d6`d48302ac=00010000 ;<-------------------------------- (2)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44252:
00007ffa`4ef123d2 85c0 test eax,eax
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44254:
00007ffa`4ef123d4 0f84dd040000 je libpersona!Emf::EmfLoader::LoadDocument+0x44737 (00007ffa`4ef128b7) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4425a:
00007ffa`4ef123da 837e5800 cmp dword ptr [rsi+58h],0 ds:000001d6`d48302b0=00000033
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4425e:
00007ffa`4ef123de 0f84d3040000 je libpersona!Emf::EmfLoader::LoadDocument+0x44737 (00007ffa`4ef128b7) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44264:
00007ffa`4ef123e4 8b4e5c mov ecx,dword ptr [rsi+5Ch] ds:000001d6`d48302b4=00000037
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44267:
00007ffa`4ef123e7 85c9 test ecx,ecx
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44269:
00007ffa`4ef123e9 0f84c8040000 je libpersona!Emf::EmfLoader::LoadDocument+0x44737 (00007ffa`4ef128b7) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4426f:
00007ffa`4ef123ef 448b4e60 mov r9d,dword ptr [rsi+60h] ds:000001d6`d48302b8=00000035
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44273:
00007ffa`4ef123f3 4585c9 test r9d,r9d
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44276:
00007ffa`4ef123f6 0f84bb040000 je libpersona!Emf::EmfLoader::LoadDocument+0x44737 (00007ffa`4ef128b7) [br=0]
0:032> p;r
rax=0000000000010000 rbx=0000000000000000 rcx=0000000000000037
rdx=7fffffffffffffff rsi=000001d6d4830258 rdi=000001d9c35d2fc0
rip=00007ffa4ef123fc rsp=00000020aa9feec0 rbp=00000020aa9fefc0
r8=00007ffa7c28a204 r9=0000000000000035 r10=0000000000000004
r11=00000020aa9fee40 r12=00007ffa4ef1fe80 r13=0000000000cc0020
r14=00000020aa9ff390 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x4427c:
00007ffa`4ef123fc 488d1406 lea rdx,[rsi+rax] ;<-------------------------------- (3)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44280:
00007ffa`4ef12400 4c8d040e lea r8,[rsi+rcx]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44284:
00007ffa`4ef12404 4533ff xor r15d,r15d
0:032> p;r
rax=0000000000010000 rbx=0000000000000000 rcx=0000000000000037
rdx=000001d6d4840258 rsi=000001d6d4830258 rdi=000001d9c35d2fc0
rip=00007ffa4ef12407 rsp=00000020aa9feec0 rbp=00000020aa9fefc0
r8=000001d6d483028f r9=0000000000000035 r10=0000000000000004
r11=00000020aa9fee40 r12=00007ffa4ef1fe80 r13=0000000000cc0020
r14=00000020aa9ff390 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
libpersona!Emf::EmfLoader::LoadDocument+0x44287:
00007ffa`4ef12407 4c897d90 mov qword ptr [rbp-70h],r15 ss:00000020`aa9fef50=000001d999fa4fd0
0:032> dd 000001d6d4840258 ;<-------------------------------- (4)
000001d6`d4840258 ???????? ???????? ???????? ????????
000001d6`d4840268 ???????? ???????? ???????? ????????
000001d6`d4840278 ???????? ???????? ???????? ????????
000001d6`d4840288 ???????? ???????? ???????? ????????
000001d6`d4840298 ???????? ???????? ???????? ????????
000001d6`d48402a8 ???????? ???????? ???????? ????????
000001d6`d48402b8 ???????? ???????? ???????? ????????
000001d6`d48402c8 ???????? ???????? ???????? ????????
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4428b:
00007ffa`4ef1240b 4c897db8 mov qword ptr [rbp-48h],r15 ss:00000020`aa9fef78=00007ffa4ef1fe80
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4428f:
00007ffa`4ef1240f 4c2bca sub r9,rdx
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44292:
00007ffa`4ef12412 4d03c8 add r9,r8
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x44295:
00007ffa`4ef12415 c7442440ffffffff mov dword ptr [rsp+40h],0FFFFFFFFh ss:00000020`aa9fef00=d4830000
The contents of the EMR_BITBLT record are examined at (1). At (2), the offBmiSrc value is read and added to the pointer at (3) to obtain the address pointing to the source bitmap header. However, the value of offBmiSrc is not validated before accessing the source bitmap header, and in this case, offBmiSrc is arbitrarily large. As a result, the computed address points to an unallocated memory region, as shown at (4). Accessing this memory region later in the program leads to an out‑of‑bounds read condition, which can be observed at the time of the crash.
0:032> g
(1318.1270): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
libbmp!Bmp::FileInputStream::IsValid+0x20a0:
00007ffa`edf6355f 8b02 mov eax,dword ptr [rdx] ds:000001d6`d4840258=????????
0:032> dd 000001d6`d4840258
000001d6`d4840258 ???????? ???????? ???????? ????????
000001d6`d4840268 ???????? ???????? ???????? ????????
000001d6`d4840278 ???????? ???????? ???????? ????????
000001d6`d4840288 ???????? ???????? ???????? ????????
000001d6`d4840298 ???????? ???????? ???????? ????????
000001d6`d48402a8 ???????? ???????? ???????? ????????
000001d6`d48402b8 ???????? ???????? ???????? ????????
000001d6`d48402c8 ???????? ???????? ???????? ????????
0:032> u
libbmp!Bmp::FileInputStream::IsValid+0x20a0:
00007ffa`edf6355f 8b02 mov eax,dword ptr [rdx]
00007ffa`edf63561 4c8bda mov r11,rdx
00007ffa`edf63564 4c8bc9 mov r9,rcx
00007ffa`edf63567 83f828 cmp eax,28h
00007ffa`edf6356a 7215 jb libbmp!Bmp::FileInputStream::IsValid+0x20c2 (00007ffa`edf63581)
00007ffa`edf6356c 448b5210 mov r10d,dword ptr [rdx+10h]
00007ffa`edf63570 8b5220 mov edx,dword ptr [rdx+20h]
00007ffa`edf63573 450fb7430e movzx r8d,word ptr [r11+0Eh]
0:032> kb
# RetAddr : Args to Child : Call Site
00 00007ffa`4e91490f : 000001d9`9a4fefd0 00000000`00000000 00000000`00000000 00007ffa`fd855ba1 : libbmp!Bmp::FileInputStream::IsValid+0x20a0
01 00007ffa`4ef12446 : 00000000`00000000 000001d6`d4830258 00000000`00000000 000001d9`b5a2afd0 : libpersona!Dib::RasterHelper::CreateBitmapFromDib+0x6f
02 00007ffa`4ef20c7b : 000001d6`d483024c 000001d9`8c838d20 000001d6`d4830258 00000020`aa9ff1f1 : libpersona!Emf::EmfLoader::LoadDocument+0x442c6
03 00007ffa`4ef1fe9c : 00000020`aa9ff390 00000000`00000258 00000000`0000000f 000021d8`00000004 : libpersona!Emf::EmfLoader::LoadDocument+0x52afb
04 00007ffa`faf0e73f : 00000000`00000258 000001d9`8c838d20 000001d6`af810000 000001d6`af810000 : libpersona!Emf::EmfLoader::LoadDocument+0x51d1c
05 00007ffa`fc56d432 : 000001d9`6d44cfd0 00000020`00000000 000001d9`6d44cfd0 00000000`00000000 : gdi32full!bInternalPlayEMF+0x250bf
06 00007ffa`4ef215ce : 00000000`00000000 00000020`aa9ff3f0 00000020`aa9ff670 000001d9`992c4f90 : GDI32!EnumEnhMetaFileStub+0x52
07 00007ffa`4eecdb56 : 00000020`aa9ff390 00000020`aa9ff320 00000000`00000000 00007ffa`fd881910 : libpersona!Emf::EmfLoader::LoadDocument+0x5344e
08 00007ffa`4eece041 : 000001d9`992c4f90 000001d9`8c838d20 000001d9`992c4f90 00000020`aa9ff670 : libpersona!Emf::EmfLoader::LoadDocument+0x86
09 00007ffa`4eece2ab : 00000020`aa9ff708 000001d9`992c4f90 00000020`aa9ff670 00000020`aa9ff720 : libpersona!Emf::EmfLoader::LoadDocument+0x101
0a 00007ffa`4eece124 : 000001d9`b8605740 00000020`aa9ff708 00000020`aa9ff6d8 00000020`aa9ff751 : libpersona!Emf::EmfLoader::LoadDocument+0x12b
0b 00007ffa`4ec83a94 : 000001d9`8aed8fa0 000001d9`b8605740 00000020`aa9ff7b0 00000020`aa9ffa78 : libpersona!Emf::EmfLoader::LoadDocument+0x94
0c 00007ffa`4ec5088f : 000001d9`b8605740 00000000`00000000 00000000`00000000 00000000`ffffff00 : libpersona!DocumentController::TryLoadEMF+0xc4
0d 00007ffa`4ec4eacc : 00000000`00000000 000001d9`00000001 00000000`00000000 00000000`00000000 : libpersona!DocumentController::LoadDocumentI+0xfaf
0e 00007ffa`51283602 : 000001d9`96a97690 00000000`00000000 000001d9`ab3faf70 00000000`00000000 : libpersona!DocumentController::LoadDocument+0x8c
0f 00007ffa`52a96cea : 000001d9`96a976c8 000001d9`89edaf00 00007ffa`af8c2800 00000000`00000000 : libpersona!LoadDocumentCommand::Do+0x252
10 00007ffa`af2464cf : 00000000`00000000 000001d9`ab3faf70 00000000`00000000 000001d9`80d52fe0 : libpersona!PersonaController::StaticDoCommand+0x3a
11 00007ffa`af49f47f : 000001d9`c03b8fd0 00000000`00000481 00000000`00000000 000001d9`a8c3ef90 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0xb787f
12 00007ffa`fcc17374 : 00007ffa`af8c2800 00000000`00000000 00000000`00000000 00000000`00000000 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0x31082f
13 00007ffa`fd87cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
14 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:032> lmDvm libpersona
Browse full module list
start end module name
00007ffa`49180000 00007ffa`60abb000 libpersona (export symbols) C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Loaded symbol image file: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image path: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image name: libpersona.dll
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Nov 3 07:34:40 2025 (6908CB90)
CheckSum: 17822078
ImageSize: 1793B000
Mapping Form: Loaded
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.
See security bulletin on trust.canva.com with the vulnerability details and vulnerable versions. (URL to advisory: https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62)
2026-01-27 - Vendor Disclosure
2026-03-17 - Vendor Patch Release
2026-03-17 - Public Release
Discovered by KPC of Cisco Talos.