Talos Vulnerability Report

TALOS-2025-2317

Canva Affinity EMF File EMR_POLYBEZIER Count Out-Of-Bounds Read Vulnerability

March 17, 2026

CVE Number

CVE-2025-61952

SUMMARY

An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Canva Affinity 3.0.1.3808

PRODUCT URLS

Affinity - https://www.affinity.studio/

CVSSv3 SCORE

6.1 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L

CWE

CWE-125 - Out-of-bounds Read

DETAILS

Affinity is a professional and versatile suite of creative applications designed for graphic design, photo editing, and desktop publishing. It provides a fast, streamlined experience with powerful tools to create illustrations, edit images, and design print or digital layouts. The suite is widely regarded as a capable and affordable alternative the software like Adobe Creative Cloud.

Affinity applications support the EMF file format, and this vulnerability is associated with how EMF files are processed.

An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:

Offset      Size      Name
------      ---- --------------------------------------
0x00        0x04            recordType  (0x00000001 )
0x04        0x04            recordSize
0x08        0x10            bounds
0x18        0x10            frame
0x28        0x04            recordSignature (0x464D4520)
0x2C        0x04            version
0x30        0x04            sizeInBytes
0x34        0x04            numOfRecords
0x38        0x02            Handles
0x3A        0x02            Reserved

Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.

For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.

This vulnerability is associated with the record type EMR_POLYBEZIER.

The EMR_POLYBEZIER record specifies one or more Bezier curves. Its structure is defined as follows:

Offset     Size      Name
-----   ---------- --------------------------------------
0x00         0x04        recordType  (0x00000002   )
0x04         0x04        recordSize
0x08         0x10        Bounds
0x18         0x04        Count (N)
0x1C         0x08*N      aPoints

For the EMR_POLYBEZIER record, the recordType value must be 0x00000002. The Count field specifies the number of PointL objects in the aPoints field. The aPoints field is an array whose size is equal to Count.

This vulnerability occurs when the value of (0x1C + (8 * N)) exceeds recordSize. When this condition is met, an out‑of‑bounds read can occur during access to the aPoints array. This behavior can be observed while debugging with pageheap enabled.

0:032> g
Breakpoint 1 hit
libpersona!Emf::EmfLoader::LoadDocument+0x4845e:
00007ffa`4ef165de 4c8bf9          mov     r15,rcx
0:032> r
rax=00007ffa5d93ada0 rbx=000001d6d4830118 rcx=00000020aa9ff390
rdx=000001d6d4830118 rsi=000001d9b59a2d20 rdi=00000020aa9ff2d0
rip=00007ffa4ef165de rsp=00000020aa9feff0 rbp=00000020aa9ff060
 r8=000001d9c2dbaff0  r9=0000000000000002 r10=0000000000000000
r11=00000020aa9fef60 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=000001d6d4830118 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x4845e:
00007ffa`4ef165de 4c8bf9          mov     r15,rcx
0:032> dd 000001d6d4830118   ;<------------------------------------ (1)
000001d6`d4830118  00000002 00000114 00000027 000191c0
000001d6`d4830128  01000f00 000bbe00 00001f00 00006400
000001d6`d4830138  0007d000 00002d00 ffffe800 00005aff
000001d6`d4830148  00003100 00008700 ffffb700 0000b4ff
000001d6`d4830158  00006300 0000e100 ffff8500 00010eff
000001d6`d4830168  00009400 00013b00 ffff5200 00016bff
000001d6`d4830178  0000c600 00019800 ffff2100 0001c5ff
000001d6`d4830188  0000f700 0001f200 fffeef00 00021fff
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x48461:
00007ffa`4ef165e1 e8eaaeffff      call    libpersona!Emf::EmfLoader::LoadDocument+0x43350 (00007ffa`4ef114d0)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x48466:
00007ffa`4ef165e6 0f57c0          xorps   xmm0,xmm0
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x48469:
00007ffa`4ef165e9 f30f7f45c0      movdqu  xmmword ptr [rbp-40h],xmm0 ss:00000020`aa9ff020=00007ffa4ef0dd98000001d9c227cfd0
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4846e:
00007ffa`4ef165ee 4533c0          xor     r8d,r8d
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x48471:
00007ffa`4ef165f1 4c8945d0        mov     qword ptr [rbp-30h],r8 ss:00000020`aa9ff030=000001d9932d2fd0
0:032> bp 00007FFA4EF16696 
0:032> g
Breakpoint 2 hit
libpersona!Emf::EmfLoader::LoadDocument+0x48516:
00007ffa`4ef16696 4533ed          xor     r13d,r13d
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x48519:
00007ffa`4ef16699 45396e18        cmp     dword ptr [r14+18h],r13d ds:000001d6`d4830130=00001f00 ;<-------------------- (2)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4851d:
00007ffa`4ef1669d 0f8665010000    jbe     libpersona!Emf::EmfLoader::LoadDocument+0x48688 (00007ffa`4ef16808) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x48523:
00007ffa`4ef166a3 4d8d661c        lea     r12,[r14+1Ch]  ;<-------------------- (3)
0:032> r
rax=000001d9aaed0fe0 rbx=000001d9aaed0fe0 rcx=0000000000000000
rdx=0000000000000000 rsi=000000000001f000 rdi=000001d9aaed0fe0
rip=00007ffa4ef166a3 rsp=00000020aa9feff0 rbp=00000020aa9ff060
 r8=000001d9aaeeffe0  r9=00007ffafa1e120e r10=00007ffafa1d0000
r11=000001d9aaed0fd0 r12=00007ffa4ef1fe80 r13=0000000000000000
r14=000001d6d4830118 r15=00000020aa9ff390
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x48523:
00007ffa`4ef166a3 4d8d661c        lea     r12,[r14+1Ch]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x48527:
00007ffa`4ef166a7 48baffffffffffffff0f mov rdx,0FFFFFFFFFFFFFFFh
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x48531:
00007ffa`4ef166b1 488b4548        mov     rax,qword ptr [rbp+48h] ss:00000020`aa9ff0a8=000001d6d4830118
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x48535:
00007ffa`4ef166b5 66410f6e742404  movd    xmm6,dword ptr [r12+4] ds:000001d6`d4830138=0007d000 ;<-------------------- (4)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4853c:
00007ffa`4ef166bc f30fe6f6        cvtdq2pd xmm6,xmm6
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x48540:
00007ffa`4ef166c0 66410f6e3c24    movd    xmm7,dword ptr [r12] ds:000001d6`d4830134=00006400 ;<-------------------- (5)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x48546:
00007ffa`4ef166c6 f30fe6ff        cvtdq2pd xmm7,xmm7
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4854a:
00007ffa`4ef166ca 4c8bf3          mov     r14,rbx
0:032> u
libpersona!Emf::EmfLoader::LoadDocument+0x4854a:
00007ffa`4ef166ca 4c8bf3          mov     r14,rbx
00007ffa`4ef166cd 493bd8          cmp     rbx,r8
00007ffa`4ef166d0 741e            je      libpersona!Emf::EmfLoader::LoadDocument+0x48570 (00007ffa`4ef166f0)
00007ffa`4ef166d2 f20f113b        movsd   mmword ptr [rbx],xmm7
00007ffa`4ef166d6 f20f117308      movsd   mmword ptr [rbx+8],xmm6
00007ffa`4ef166db 488b5dc8        mov     rbx,qword ptr [rbp-38h]
00007ffa`4ef166df 4883c310        add     rbx,10h
00007ffa`4ef166e3 4c8b45d0        mov     r8,qword ptr [rbp-30h]

The contents of the EMR_POLYBEZIER record are examined at (1). At (2), it is verified that Count is non‑zero. If so, the address of the memory containing aPoints is obtained at (3). A loop begins at (4) that runs Count times and reads PointL objects at (4) and (5). In this situation, the Count value is excessively large, and continuing the loop leads to an out‑of‑bounds read, which is visible at the time of the crash.

0:032> g
(1318.1270): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
libpersona!Emf::EmfLoader::LoadDocument+0x48535:
00007ffa`4ef166b5 66410f6e742404  movd    xmm6,dword ptr [r12+4] ds:000001d6`d4831000=????????
0:032> u
libpersona!Emf::EmfLoader::LoadDocument+0x48535:
00007ffa`4ef166b5 66410f6e742404  movd    xmm6,dword ptr [r12+4]
00007ffa`4ef166bc f30fe6f6        cvtdq2pd xmm6,xmm6
00007ffa`4ef166c0 66410f6e3c24    movd    xmm7,dword ptr [r12]
00007ffa`4ef166c6 f30fe6ff        cvtdq2pd xmm7,xmm7
00007ffa`4ef166ca 4c8bf3          mov     r14,rbx
00007ffa`4ef166cd 493bd8          cmp     rbx,r8
00007ffa`4ef166d0 741e            je      libpersona!Emf::EmfLoader::LoadDocument+0x48570 (00007ffa`4ef166f0)
00007ffa`4ef166d2 f20f113b        movsd   mmword ptr [rbx],xmm7
0:032> dd 000001d6`d4831000
000001d6`d4831000  ???????? ???????? ???????? ????????
000001d6`d4831010  ???????? ???????? ???????? ????????
000001d6`d4831020  ???????? ???????? ???????? ????????
000001d6`d4831030  ???????? ???????? ???????? ????????
000001d6`d4831040  ???????? ???????? ???????? ????????
000001d6`d4831050  ???????? ???????? ???????? ????????
000001d6`d4831060  ???????? ???????? ???????? ????????
000001d6`d4831070  ???????? ???????? ???????? ????????
0:032> kb
 # RetAddr               : Args to Child                                                           : Call Site
00 00007ffa`4ef1ff2e     : 00000020`aa9ff390 000001d6`d4830118 000001d6`d4830118 00000020`aa9ff1f1 : libpersona!Emf::EmfLoader::LoadDocument+0x48535
01 00007ffa`4ef1fe9c     : 00000020`aa9ff390 00000000`00000118 00000000`0000000f 000021d8`00000004 : libpersona!Emf::EmfLoader::LoadDocument+0x51dae
02 00007ffa`faf0e73f     : 00000000`00000118 000001d9`b59a2d20 000001d6`af810000 000001d6`af810000 : libpersona!Emf::EmfLoader::LoadDocument+0x51d1c
03 00007ffa`fc56d432     : 000001d9`7d252fd0 00000020`00000000 000001d9`7d252fd0 00000000`00000000 : gdi32full!bInternalPlayEMF+0x250bf
04 00007ffa`4ef215ce     : 00000000`00000000 00000020`aa9ff3f0 00000020`aa9ff670 000001d6`a83fef90 : GDI32!EnumEnhMetaFileStub+0x52
05 00007ffa`4eecdb56     : 00000020`aa9ff390 00000020`aa9ff320 00000000`00000000 00007ffa`fd881910 : libpersona!Emf::EmfLoader::LoadDocument+0x5344e
06 00007ffa`4eece041     : 000001d6`a83fef90 000001d9`b59a2d20 000001d6`a83fef90 00000020`aa9ff670 : libpersona!Emf::EmfLoader::LoadDocument+0x86
07 00007ffa`4eece2ab     : 00000020`aa9ff708 000001d6`a83fef90 00000020`aa9ff670 00000020`aa9ff720 : libpersona!Emf::EmfLoader::LoadDocument+0x101
08 00007ffa`4eece124     : 000001d6`e8efa740 00000020`aa9ff708 00000020`aa9ff6d8 00000020`aa9ff751 : libpersona!Emf::EmfLoader::LoadDocument+0x12b
09 00007ffa`4ec83a94     : 000001d9`8d780fb0 000001d6`e8efa740 00000020`aa9ff7b0 00000020`aa9ffa78 : libpersona!Emf::EmfLoader::LoadDocument+0x94
0a 00007ffa`4ec5088f     : 000001d6`e8efa740 00000000`00000000 00000000`00000000 00000000`ffffff00 : libpersona!DocumentController::TryLoadEMF+0xc4
0b 00007ffa`4ec4eacc     : 00000000`00000000 000001d9`00000001 00000000`00000000 00000000`00000000 : libpersona!DocumentController::LoadDocumentI+0xfaf
0c 00007ffa`51283602     : 000001d9`93ea0690 00000000`00000000 000001d9`b8aa6f70 00000000`00000000 : libpersona!DocumentController::LoadDocument+0x8c
0d 00007ffa`52a96cea     : 000001d9`93ea06c8 000001d9`82706f00 00007ffa`af8c2800 00000000`00000000 : libpersona!LoadDocumentCommand::Do+0x252
0e 00007ffa`af2464cf     : 00000000`00000000 000001d9`b8aa6f70 00000000`00000000 000001d9`c28defe0 : libpersona!PersonaController::StaticDoCommand+0x3a
0f 00007ffa`af49f47f     : 000001d9`b4578fd0 00000000`00000481 00000000`00000000 000001d9`a8c3ef90 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0xb787f
10 00007ffa`fcc17374     : 00007ffa`af8c2800 00000000`00000000 00000000`00000000 00000000`00000000 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0x31082f
11 00007ffa`fd87cc91     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
12 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:032> lmDvm libpersona
Browse full module list
start             end                 module name
00007ffa`49180000 00007ffa`60abb000   libpersona   (export symbols)       C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
    Loaded symbol image file: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
    Image path: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
    Image name: libpersona.dll
    Browse all global symbols  functions  data  Symbol Reload
    Timestamp:        Mon Nov  3 07:34:40 2025 (6908CB90)
    CheckSum:         17822078
    ImageSize:        1793B000
    Mapping Form:     Loaded
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:

Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.

VENDOR RESPONSE

See security bulletin on trust.canva.com with the vulnerability details and vulnerable versions. (URL to advisory: https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62)

TIMELINE

2026-01-27 - Vendor Disclosure
2026-03-17 - Vendor Patch Release
2026-03-17 - Public Release

Credit

Discovered by KPC of Cisco Talos.

TALOS-2025-2318

TALOS-2025-2316

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company