CVE-2025-58427
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Canva Affinity 3.0.1.3808
Affinity - https://www.affinity.studio/
6.1 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
CWE-125 - Out-of-bounds Read
Affinity is a professional and versatile suite of creative applications designed for graphic design, photo editing, and desktop publishing. It provides a fast, streamlined experience with powerful tools to create illustrations, edit images, and design print or digital layouts. The suite is widely regarded as a capable and affordable alternative the software like Adobe Creative Cloud.
Affinity applications support the EMF file format, and this vulnerability is associated with how EMF files are processed.
An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:
Offset Size Name
------ ---- --------------------------------------
0x00 0x04 recordType (0x00000001 )
0x04 0x04 recordSize
0x08 0x10 bounds
0x18 0x10 frame
0x28 0x04 recordSignature (0x464D4520)
0x2C 0x04 version
0x30 0x04 sizeInBytes
0x34 0x04 numOfRecords
0x38 0x02 Handles
0x3A 0x02 Reserved
Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.
For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.
This vulnerability is associated with the record type EMR_EXTTEXTOUTW.
The EMR_EXTTEXTOUTW record specifies a Unicode text string using font and text colors. Its structure is defined as follows:
Offset Size Name
----- ---------- --------------------------------------
0x00 0x04 recordType (0x00000054 )
0x04 0x04 recordSize
0x08 0x10 Bounds
0x18 0x04 iGraphicsMode
0x1C 0x04 exScale
0x20 0x04 eyScale
0x24 0x08 Reference
0x2C 0x04 Chars
0x30 0x04 offString
0x34 0x04 Options
0x38 0x10 Rectangle
0x48 0x04 offDx
0x4C y StringBuffer
0x4C+y z DxBuffer
For the EMR_EXTTEXTOUTW record, the recordType value must be 0x00000054. The vulnerable field is the offDx field which indicates the offset from the start of this record to an intercharacter spacing array.
This vulnerability occurs when the value of offDx is greater than recordSize. When this happens, an out‑of‑bounds read occurs when the intercharacter spacing array is accessed. This behavior can be observed while debugging with pageheap enabled.
0:034> g
Breakpoint 0 hit
libpersona!Emf::EmfLoader::LoadDocument+0x4613b:
00007ffa`4ef142bb e810d2ffff call libpersona!Emf::EmfLoader::LoadDocument+0x43350 (00007ffa`4ef114d0)
0:032> r
rax=00007ffa5d93ada0 rbx=000001d6d4830110 rcx=00000020aa9ff390
rdx=000001d6d4830110 rsi=000001d9b3a1ad20 rdi=00000020aa9ff2d0
rip=00007ffa4ef142bb rsp=00000020aa9feff0 rbp=00000020aa9ff1f1
r8=000001d9893a0f80 r9=000000000000000f r10=0000000000000004
r11=00000020aa9ff020 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=00000020aa9ff390 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x4613b:
00007ffa`4ef142bb e810d2ffff call libpersona!Emf::EmfLoader::LoadDocument+0x43350 (00007ffa`4ef114d0)
0:032> dd 000001d6d4830110 ;<------------------------------------------ (1)
000001d6`d4830110 00000054 000000b4 0000029d 00000158
000001d6`d4830120 00000314 00000167 00000001 41f96000
000001d6`d4830130 41f7684c 0000029d 00000158 00000011
000001d6`d4830140 0000004c 43000000 2500a113 0c000000
000001d6`d4830150 05000000 27000000 18000000 06000000
000001d6`d4830160 00000000 5c000000 00004607 25000000
000001d6`d4830170 0c000000 06000000 56000000 34000000
000001d6`d4830180 39000000 08000000 1f000000 55000003
0:032> pc
libpersona!Emf::EmfLoader::LoadDocument+0x46146:
00007ffa`4ef142c6 ff9098030000 call qword ptr [rax+398h] ds:00007ffa`5d93b138=00007ffa4ef105f0
0:032> g
Breakpoint 1 hit
libpersona!Emf::EmfLoader::LoadDocument+0x462b4:
00007ffa`4ef14434 8b4b2c mov ecx,dword ptr [rbx+2Ch] ds:000001d6`d483013c=00000011
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462b7:
00007ffa`4ef14437 b804000000 mov eax,4
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462bc:
00007ffa`4ef1443c 48f7e1 mul rax,rcx
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462bf:
00007ffa`4ef1443f 480f42c5 cmovb rax,rbp
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462c3:
00007ffa`4ef14443 488bc8 mov rcx,rax
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462c6:
00007ffa`4ef14446 e8e92c890d call libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x2700b4 (00007ffa`5c7a7134)
0:032> r
rax=0000000000000044 rbx=000001d6d4830110 rcx=0000000000000044
rdx=0000000000000000 rsi=000001d9b3a1ad20 rdi=0000000000000000
rip=00007ffa4ef14446 rsp=00000020aa9feff0 rbp=ffffffffffffffff
r8=0000000000000000 r9=0000000000000001 r10=00000000ffffffef
r11=00000020aa9fef50 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=00000020aa9ff390 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x462c6:
00007ffa`4ef14446 e8e92c890d call libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x2700b4 (00007ffa`5c7a7134)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462cb:
00007ffa`4ef1444b 488bf0 mov rsi,rax
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462ce:
00007ffa`4ef1444e 837b2c00 cmp dword ptr [rbx+2Ch],0 ds:000001d6`d483013c=00000011
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462d2:
00007ffa`4ef14452 7623 jbe libpersona!Emf::EmfLoader::LoadDocument+0x462f7 (00007ffa`4ef14477) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462d4:
00007ffa`4ef14454 488bd7 mov rdx,rdi
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462d7:
00007ffa`4ef14457 660f1f840000000000 nop word ptr [rax+rax]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462e0:
00007ffa`4ef14460 8b4b48 mov ecx,dword ptr [rbx+48h] ds:000001d6`d4830158=18000000 ;<-------------------------------- (2)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x462e3:
00007ffa`4ef14463 4803ca add rcx,rdx
0:032> r
rax=000001d9b0112fb0 rbx=000001d6d4830110 rcx=0000000018000000
rdx=0000000000000000 rsi=000001d9b0112fb0 rdi=0000000000000000
rip=00007ffa4ef14463 rsp=00000020aa9feff0 rbp=ffffffffffffffff
r8=0000000000000004 r9=0000000000000000 r10=000001d9b0112fb0
r11=000001d9b0112fb0 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=00000020aa9ff390 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x462e3:
00007ffa`4ef14463 4803ca add rcx,rdx
0:032> t
libpersona!Emf::EmfLoader::LoadDocument+0x462e6:
00007ffa`4ef14466 8b0c19 mov ecx,dword ptr [rcx+rbx] ds:000001d6`ec830110=???????? ;<-------------------------------- (3)
The contents of the EMR_EXTTEXTOUTW record are examined at (1). At (2), the offDx value is read and used as an offset to access the intercharacter spacing array at (3). Because the offDx value is greater than recordSize in this case, an out‑of‑bounds read occurs. The crash details are as follows:
:032> t
libpersona!Emf::EmfLoader::LoadDocument+0x462e6:
00007ffa`4ef14466 8b0c19 mov ecx,dword ptr [rcx+rbx] ds:000001d6`ec830110=????????
0:032> dd rcx+rbx
000001d6`ec830110 ???????? ???????? ???????? ????????
000001d6`ec830120 ???????? ???????? ???????? ????????
000001d6`ec830130 ???????? ???????? ???????? ????????
000001d6`ec830140 ???????? ???????? ???????? ????????
000001d6`ec830150 ???????? ???????? ???????? ????????
000001d6`ec830160 ???????? ???????? ???????? ????????
000001d6`ec830170 ???????? ???????? ???????? ????????
000001d6`ec830180 ???????? ???????? ???????? ????????
0:032> u
libpersona!Emf::EmfLoader::LoadDocument+0x462e6:
00007ffa`4ef14466 8b0c19 mov ecx,dword ptr [rcx+rbx]
00007ffa`4ef14469 890c02 mov dword ptr [rdx+rax],ecx
00007ffa`4ef1446c ffc7 inc edi
00007ffa`4ef1446e 4883c204 add rdx,4
00007ffa`4ef14472 3b7b2c cmp edi,dword ptr [rbx+2Ch]
00007ffa`4ef14475 72e9 jb libpersona!Emf::EmfLoader::LoadDocument+0x462e0 (00007ffa`4ef14460)
00007ffa`4ef14477 498b06 mov rax,qword ptr [r14]
00007ffa`4ef1447a 4889742420 mov qword ptr [rsp+20h],rsi
0:032> kb
# RetAddr : Args to Child : Call Site
00 00007ffa`4ef20def : 000001d6`d4830104 000001d9`b19b9fd0 000001d6`d4830110 00000020`aa9ff1f1 : libpersona!Emf::EmfLoader::LoadDocument+0x462e6
01 00007ffa`4ef1fe9c : 00000020`aa9ff390 00000000`00000110 00000000`0000000f 000021d8`00000004 : libpersona!Emf::EmfLoader::LoadDocument+0x52c6f
02 00007ffa`faf0e73f : 00000000`00000110 000001d9`b3a1ad20 000001d6`af810000 000001d6`af810000 : libpersona!Emf::EmfLoader::LoadDocument+0x51d1c
03 00007ffa`fc56d432 : 000001d9`46a20fd0 00000020`00000000 000001d9`46a20fd0 00000000`00000000 : gdi32full!bInternalPlayEMF+0x250bf
04 00007ffa`4ef215ce : 00000000`00000000 00000020`aa9ff3f0 00000020`aa9ff670 000001d9`9ca4ef90 : GDI32!EnumEnhMetaFileStub+0x52
05 00007ffa`4eecdb56 : 00000020`aa9ff390 00000020`aa9ff320 00000000`00000000 00007ffa`fd881910 : libpersona!Emf::EmfLoader::LoadDocument+0x5344e
06 00007ffa`4eece041 : 000001d9`9ca4ef90 000001d9`b3a1ad20 000001d9`9ca4ef90 00000020`aa9ff670 : libpersona!Emf::EmfLoader::LoadDocument+0x86
07 00007ffa`4eece2ab : 00000020`aa9ff708 000001d9`9ca4ef90 00000020`aa9ff670 00000020`aa9ff720 : libpersona!Emf::EmfLoader::LoadDocument+0x101
08 00007ffa`4eece124 : 000001d9`8a485740 00000020`aa9ff708 00000020`aa9ff6d8 00000020`aa9ff751 : libpersona!Emf::EmfLoader::LoadDocument+0x12b
09 00007ffa`4ec83a94 : 000001d9`41f6efb0 000001d9`8a485740 00000020`aa9ff7b0 00000020`aa9ffa78 : libpersona!Emf::EmfLoader::LoadDocument+0x94
0a 00007ffa`4ec5088f : 000001d9`8a485740 00000000`00000000 00000000`00000000 00000000`ffffff00 : libpersona!DocumentController::TryLoadEMF+0xc4
0b 00007ffa`4ec4eacc : 00000000`00000000 000001d9`00000001 00000000`00000000 00000000`00000000 : libpersona!DocumentController::LoadDocumentI+0xfaf
0c 00007ffa`51283602 : 000001d9`be1c0690 00000000`00000000 000001d9`8970cf70 00000000`00000000 : libpersona!DocumentController::LoadDocument+0x8c
0d 00007ffa`52a96cea : 000001d9`be1c06c8 000001d9`7800af00 00007ffa`af8c2800 00000000`00000000 : libpersona!LoadDocumentCommand::Do+0x252
0e 00007ffa`af2464cf : 00000000`00000000 000001d9`8970cf70 00000000`00000000 000001d9`b7e3efe0 : libpersona!PersonaController::StaticDoCommand+0x3a
0f 00007ffa`af49f47f : 000001d9`7e4cafd0 00000000`00000481 00000000`00000000 000001d9`a8c3ef90 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0xb787f
10 00007ffa`fcc17374 : 00007ffa`af8c2800 00000000`00000000 00000000`00000000 00000000`00000000 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0x31082f
11 00007ffa`fd87cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
12 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:032> lmDvm libpersona
Browse full module list
start end module name
00007ffa`49180000 00007ffa`60abb000 libpersona (export symbols) C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Loaded symbol image file: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image path: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image name: libpersona.dll
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Nov 3 07:34:40 2025 (6908CB90)
CheckSum: 17822078
ImageSize: 1793B000
Mapping Form: Loaded
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.
See security bulletin on trust.canva.com with the vulnerability details and vulnerable versions. (URL to advisory: https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62)
2026-01-27 - Vendor Disclosure
2026-03-17 - Vendor Patch Release
2026-03-17 - Public Release
Discovered by KPC of Cisco Talos.