CVE-2025-66042
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Canva Affinity 3.0.1.3808
Affinity - https://www.affinity.studio/
6.1 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
CWE-125 - Out-of-bounds Read
Affinity is a professional and versatile suite of creative applications designed for graphic design, photo editing, and desktop publishing. It provides a fast, streamlined experience with powerful tools to create illustrations, edit images, and design print or digital layouts. The suite is widely regarded as a capable and affordable alternative the software like Adobe Creative Cloud.
Affinity applications support the EMF file format, and this vulnerability is associated with how EMF files are processed.
An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:
Offset Size Name
------ ---- --------------------------------------
0x00 0x04 recordType (0x00000001 )
0x04 0x04 recordSize
0x08 0x10 bounds
0x18 0x10 frame
0x28 0x04 recordSignature (0x464D4520)
0x2C 0x04 version
0x30 0x04 sizeInBytes
0x34 0x04 numOfRecords
0x38 0x02 Handles
0x3A 0x02 Reserved
Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.
For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.
This vulnerability is associated with the record type EMR_EXTSELECTCLIPRGN.
The EMR_EXTSELECTCLIPRGN record combine the specified region. Its structure is defined as follows:
Offset Size Name
----- ---------- --------------------------------------
0x00 0x04 recordType (0x0000004B)
0x04 0x04 recordSize
0x08 0x04 RgnDataSize (N)
0x0C 0x04 RegionMode
0x10 N RgnData
For the EMR_EXTSELECTCLIPRGN record, the recordType value must be 0x0000004B. The RgnDataSize field specifies the size of the RgnData field in bytes.
The structure of RgnData is as follows:
Offset Size Name
----- ---------- --------------------------------------
0x00 0x04 RegionDataHeaderSize
0x04 0x04 RegionDataHeaderType
0x08 0x04 CountRects (P)
0x0C 0x04 RgnSize
0x10 0x10 Bounds
0x20 X RegionData
The CountRects field indicates the number of rectangles in this region. The RgnSize field specifies the size of the rectangle buffer in bytes.
This vulnerability occurs when the value of (CountRects * 0x10 + 0x20) exceeds RgnDataSize. When this happens, an out‑of‑bounds read may occur during access to the RegionData field. This behavior can be observed while debugging with pageheap enabled.
0:032> g
Breakpoint 1 hit
libpersona!Emf::EmfLoader::LoadDocument+0x45ca8:
00007ffa`4ef13e28 4c8bf1 mov r14,rcx
0:032> r
rax=00007ffa5d93ada0 rbx=000001d6d4830664 rcx=00000020aa9ff390
rdx=000001d6d4830664 rsi=000001d6d4830664 rdi=00000020aa9ff2d0
rip=00007ffa4ef13e28 rsp=00000020aa9ff000 rbp=00000020aa9ff1f1
r8=000001d9950e0fe0 r9=0000000000000004 r10=00000000ffffffef
r11=00000020aa9fef70 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=0000000000000001 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x45ca8:
00007ffa`4ef13e28 4c8bf1 mov r14,rcx
0:032> dd 000001d6d4830664 ;<------------------------------------------ (1)
000001d6`d4830664 0000004b 00000040 00000030 00000005
000001d6`d4830674 00000020 00020001 004b0000 00400000
000001d6`d4830684 00300000 00050000 00200000 00010000
000001d6`d4830694 00010000 00100000 03520000 00000000
000001d6`d48306a4 060d0000 018f0000 03520000 00000000
000001d6`d48306b4 060d0000 018f0000 00000000 00000014
000001d6`d48306c4 00000000 00000000 00000000 00000000
000001d6`d48306d4 00000000 00000000 00000000 00000000
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cab:
00007ffa`4ef13e2b e8a0d6ffff call libpersona!Emf::EmfLoader::LoadDocument+0x43350 (00007ffa`4ef114d0)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cb0:
00007ffa`4ef13e30 498b06 mov rax,qword ptr [r14] ds:00000020`aa9ff390=00007ffa5d93ada0
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cb3:
00007ffa`4ef13e33 498bce mov rcx,r14
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cb6:
00007ffa`4ef13e36 ff9098030000 call qword ptr [rax+398h] ds:00007ffa`5d93b138=00007ffa4ef105f0
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cbc:
00007ffa`4ef13e3c 488be8 mov rbp,rax
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cbf:
00007ffa`4ef13e3f 33ff xor edi,edi
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cc1:
00007ffa`4ef13e41 48897c2448 mov qword ptr [rsp+48h],rdi ss:00000020`aa9ff048=0000000000000000
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cc6:
00007ffa`4ef13e46 4c8d4610 lea r8,[rsi+10h]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cca:
00007ffa`4ef13e4a 4d85c0 test r8,r8
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45ccd:
00007ffa`4ef13e4d 7463 je libpersona!Emf::EmfLoader::LoadDocument+0x45d32 (00007ffa`4ef13eb2) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45ccf:
00007ffa`4ef13e4f 397e08 cmp dword ptr [rsi+8],edi ds:000001d6`d483066c=00000030 ;<----------------------------------- (2)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cd2:
00007ffa`4ef13e52 765e jbe libpersona!Emf::EmfLoader::LoadDocument+0x45d32 (00007ffa`4ef13eb2) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cd4:
00007ffa`4ef13e54 498b06 mov rax,qword ptr [r14] ds:00000020`aa9ff390=00007ffa5d93ada0
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cd7:
00007ffa`4ef13e57 488d542430 lea rdx,[rsp+30h]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cdc:
00007ffa`4ef13e5c 498bce mov rcx,r14
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x45cdf:
00007ffa`4ef13e5f ff9078040000 call qword ptr [rax+478h] ds:00007ffa`5d93b218=00007ffa4ef0f8e0 ;<----------------------------------- (3)
The contents of the EMR_EXTSELECTCLIPRGN record are examined at (1). At (2), the code checks that RgnDataSize is non‑zero. If it is, a method is called at (3) to process RgnData.
0:032> r
rax=00007ffa5d93ada0 rbx=000001d6d4830664 rcx=00000020aa9ff390
rdx=00000020aa9ff030 rsi=000001d6d4830664 rdi=0000000000000000
rip=00007ffa4ef0f8e0 rsp=00000020aa9feff8 rbp=000001d9b5610e80
r8=000001d6d4830674 r9=0000000000000001 r10=00000000ffffffef
r11=00000020aa9fef00 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=00000020aa9ff390 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x41760:
00007ffa`4ef0f8e0 48895c2408 mov qword ptr [rsp+8],rbx ss:00000020`aa9ff000=000001d695a78fd0
0:032> dd 000001d6d4830674 ;<----------------------------------- (4)
000001d6`d4830674 00000020 00020001 004b0000 00400000
000001d6`d4830684 00300000 00050000 00200000 00010000
000001d6`d4830694 00010000 00100000 03520000 00000000
000001d6`d48306a4 060d0000 018f0000 03520000 00000000
000001d6`d48306b4 060d0000 018f0000 00000000 00000014
000001d6`d48306c4 00000000 00000000 00000000 00000000
000001d6`d48306d4 00000000 00000000 00000000 00000000
000001d6`d48306e4 00000000 00000000 00000000 00000000
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x41765:
00007ffa`4ef0f8e5 4889542410 mov qword ptr [rsp+10h],rdx ss:00000020`aa9ff008=000001d6d4830664
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4176a:
00007ffa`4ef0f8ea 55 push rbp
[...]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x41787:
00007ffa`4ef0f907 f30f7f45c0 movdqu xmmword ptr [rbp-40h],xmm0 ss:00000020`aa9fef80=00000020aa9ff3900000000000000000
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4178c:
00007ffa`4ef0f90c 48897dd0 mov qword ptr [rbp-30h],rdi ss:00000020`aa9fef90=0000000000000001
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x41790:
00007ffa`4ef0f910 4d636008 movsxd r12,dword ptr [r8+8] ds:000001d6`d483067c=004b0000
0:032> r
rax=00007ffa5d93ada0 rbx=000001d6d4830664 rcx=00000020aa9ff390
rdx=00000020aa9ff030 rsi=000001d6d4830664 rdi=0000000000000000
rip=00007ffa4ef0f910 rsp=00000020aa9fef40 rbp=00000020aa9fefc0
r8=000001d6d4830674 r9=0000000000000001 r10=00000000ffffffef
r11=00000020aa9fef00 r12=00007ffa4ef1fe80 r13=000001d6d4830674
r14=00000020aa9ff390 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
libpersona!Emf::EmfLoader::LoadDocument+0x41790:
00007ffa`4ef0f910 4d636008 movsxd r12,dword ptr [r8+8] ds:000001d6`d483067c=004b0000 ;<----------------------------------- (5)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x41794:
00007ffa`4ef0f914 4d85e4 test r12,r12
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x41797:
00007ffa`4ef0f917 0f84f6000000 je libpersona!Emf::EmfLoader::LoadDocument+0x41893 (00007ffa`4ef0fa13) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4179d:
00007ffa`4ef0f91d 48b8ffffffffffffff1f mov rax,1FFFFFFFFFFFFFFFh
0:032> g
Breakpoint 3 hit
libpersona!Emf::EmfLoader::LoadDocument+0x4189b:
00007ffa`4ef0fa1b 488d359e8e800e lea rsi,[libpersona!AffinityFontFileStoreItem::`vbtable'+0x2d0 (00007ffa`5d7188c0)]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x418a2:
00007ffa`4ef0fa22 4d85e4 test r12,r12
0:032> r
rax=000001d9d8270fe0 rbx=0000000000000000 rcx=000001d9d5cf0fe0
rdx=d0d0d0d0d0d0d0d0 rsi=00007ffa5d7188c0 rdi=0000000000000000
rip=00007ffa4ef0fa22 rsp=00000020aa9fef40 rbp=00000020aa9fefc0
r8=0000000000000001 r9=0000000000000000 r10=000001d9d5cf0fd0
r11=0000000000000246 r12=00000000004b0000 r13=000001d6d4830674
r14=000001d9d5cf0fe0 r15=0000000002580000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
libpersona!Emf::EmfLoader::LoadDocument+0x418a2:
00007ffa`4ef0fa22 4d85e4 test r12,r12 ;<----------------------------------- (6)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x418a5:
00007ffa`4ef0fa25 0f8e15010000 jle libpersona!Emf::EmfLoader::LoadDocument+0x419c0 (00007ffa`4ef0fb40) [br=0]
0:032> p
Breakpoint 2 hit
libpersona!Emf::EmfLoader::LoadDocument+0x418ab:
00007ffa`4ef0fa2b 4c8bff mov r15,rdi
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x418ae:
00007ffa`4ef0fa2e 4d8d7528 lea r14,[r13+28h] ;<----------------------------------- (7)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x418b2:
00007ffa`4ef0fa32 4533ed xor r13d,r13d
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x418b5:
00007ffa`4ef0fa35 6666660f1f840000000000 nop word ptr [rax+rax]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x418c0:
00007ffa`4ef0fa40 f3410fe64ef8 cvtdq2pd xmm1,mmword ptr [r14-8] ds:000001d6`d4830694=0010000000010000 ;<----------------------------------- (8)
0:032> dd r14
000001d6`d483069c 03520000 00000000 060d0000 018f0000
000001d6`d48306ac 03520000 00000000 060d0000 018f0000
000001d6`d48306bc 00000000 00000014 00000000 00000000
000001d6`d48306cc 00000000 00000000 00000000 00000000
000001d6`d48306dc 00000000 00000000 00000000 00000000
000001d6`d48306ec 00000000 00000000 00000000 00000000
000001d6`d48306fc 00000000 00000000 00000000 00000000
000001d6`d483070c 00000000 00000000 00000000 00000000
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x418c6:
00007ffa`4ef0fa46 0f114dd8 movups xmmword ptr [rbp-28h],xmm1 ss:00000020`aa9fef98=000001d9b70b8fd000007ffa49648517
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x418ca:
00007ffa`4ef0fa4a 66410f6e06 movd xmm0,dword ptr [r14] ds:000001d6`d483069c=03520000 ;<----------------------------------- (9)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x418cf:
00007ffa`4ef0fa4f f30fe6c0 cvtdq2pd xmm0,xmm0
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x418d3:
00007ffa`4ef0fa53 f20f1145e8 movsd mmword ptr [rbp-18h],xmm0 ss:00000020`aa9fefa8=0000002000000000
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x418d8:
00007ffa`4ef0fa58 66410f6e4e04 movd xmm1,dword ptr [r14+4] ds:000001d6`d48306a0=00000000 ;<----------------------------------- (10)
0:032> u
libpersona!Emf::EmfLoader::LoadDocument+0x418d8:
00007ffa`4ef0fa58 66410f6e4e04 movd xmm1,dword ptr [r14+4]
00007ffa`4ef0fa5e f30fe6c9 cvtdq2pd xmm1,xmm1
00007ffa`4ef0fa62 f20f114df0 movsd mmword ptr [rbp-10h],xmm1
00007ffa`4ef0fa67 b928000000 mov ecx,28h
00007ffa`4ef0fa6c e87f76890d call libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x270070 (00007ffa`5c7a70f0)
00007ffa`4ef0fa71 488bf8 mov rdi,rax
00007ffa`4ef0fa74 48894558 mov qword ptr [rbp+58h],rax
00007ffa`4ef0fa78 4885c0 test rax,rax
0:032> bp 00007FFA4EF0FB18
The contents of the RgnData field are examined at (4). At (5), the CountRects value within RgnData is read and stored in register r12. At (6), the code checks that CountRects is greater than 0. If it is, the address of the memory containing RegionData is obtained at (7). A loop begins at (8) that runs CountRects times and reads RegionData entries at (8), (9), and (10). In this case, CountRects is excessively large, and continuing the loop results in an out‑of‑bounds read, which becomes visible when the crash occurs.
0:032> g
(1318.1270): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
libpersona!Emf::EmfLoader::LoadDocument+0x418d8:
00007ffa`4ef0fa58 66410f6e4e04 movd xmm1,dword ptr [r14+4] ds:000001d6`d4831000=????????
0:032> dd 000001d6`d4831000
000001d6`d4831000 ???????? ???????? ???????? ????????
000001d6`d4831010 ???????? ???????? ???????? ????????
000001d6`d4831020 ???????? ???????? ???????? ????????
000001d6`d4831030 ???????? ???????? ???????? ????????
000001d6`d4831040 ???????? ???????? ???????? ????????
000001d6`d4831050 ???????? ???????? ???????? ????????
000001d6`d4831060 ???????? ???????? ???????? ????????
000001d6`d4831070 ???????? ???????? ???????? ????????
0:032> u
libpersona!Emf::EmfLoader::LoadDocument+0x418d8:
00007ffa`4ef0fa58 66410f6e4e04 movd xmm1,dword ptr [r14+4]
00007ffa`4ef0fa5e f30fe6c9 cvtdq2pd xmm1,xmm1
00007ffa`4ef0fa62 f20f114df0 movsd mmword ptr [rbp-10h],xmm1
00007ffa`4ef0fa67 b928000000 mov ecx,28h
00007ffa`4ef0fa6c e87f76890d call libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x270070 (00007ffa`5c7a70f0)
00007ffa`4ef0fa71 488bf8 mov rdi,rax
00007ffa`4ef0fa74 48894558 mov qword ptr [rbp+58h],rax
00007ffa`4ef0fa78 4885c0 test rax,rax
0:032> kb
# RetAddr : Args to Child : Call Site
00 00007ffa`4ef13e65 : 000001d6`d4830664 00000020`aa9ff030 00000000`00000000 000001d9`c2772fd0 : libpersona!Emf::EmfLoader::LoadDocument+0x418d8
01 00007ffa`4ef20c4b : 000001d6`d4830658 000001d9`c075cfe0 000001d6`d4830664 00000020`aa9ff1f1 : libpersona!Emf::EmfLoader::LoadDocument+0x45ce5
02 00007ffa`4ef1fe9c : 00000020`aa9ff390 00000000`00000664 00000000`0000000f 000021d8`00000004 : libpersona!Emf::EmfLoader::LoadDocument+0x52acb
03 00007ffa`faf0e73f : 00000000`00000664 000001d9`b98bed20 000001d6`af810000 000001d6`af810000 : libpersona!Emf::EmfLoader::LoadDocument+0x51d1c
04 00007ffa`fc56d432 : 000001d9`ad4bafd0 00000020`00000000 000001d9`ad4bafd0 00000000`00000000 : gdi32full!bInternalPlayEMF+0x250bf
05 00007ffa`4ef215ce : 00000000`00000000 00000020`aa9ff3f0 00000020`aa9ff670 000001d9`b580ef90 : GDI32!EnumEnhMetaFileStub+0x52
06 00007ffa`4eecdb56 : 00000020`aa9ff390 00000020`aa9ff320 00000000`00000000 00007ffa`fd881910 : libpersona!Emf::EmfLoader::LoadDocument+0x5344e
07 00007ffa`4eece041 : 000001d9`b580ef90 000001d9`b98bed20 000001d9`b580ef90 00000020`aa9ff670 : libpersona!Emf::EmfLoader::LoadDocument+0x86
08 00007ffa`4eece2ab : 00000020`aa9ff708 000001d9`b580ef90 00000020`aa9ff670 00000020`aa9ff720 : libpersona!Emf::EmfLoader::LoadDocument+0x101
09 00007ffa`4eece124 : 000001d9`b8605740 00000020`aa9ff708 00000020`aa9ff6d8 00000020`aa9ff751 : libpersona!Emf::EmfLoader::LoadDocument+0x12b
0a 00007ffa`4ec83a94 : 000001d9`b704cfb0 000001d9`b8605740 00000020`aa9ff7b0 00000020`aa9ffa78 : libpersona!Emf::EmfLoader::LoadDocument+0x94
0b 00007ffa`4ec5088f : 000001d9`b8605740 00000000`00000000 00000000`00000000 00000000`ffffff00 : libpersona!DocumentController::TryLoadEMF+0xc4
0c 00007ffa`4ec4eacc : 00000000`00000000 000001d9`00000001 00000000`00000000 00000000`00000000 : libpersona!DocumentController::LoadDocumentI+0xfaf
0d 00007ffa`51283602 : 000001d9`8bf7a690 00000000`00000000 000001d9`ba006f70 00000000`00000000 : libpersona!DocumentController::LoadDocument+0x8c
0e 00007ffa`52a96cea : 000001d9`8bf7a6c8 000001d9`b66d6f00 00007ffa`af8c2800 00000000`00000000 : libpersona!LoadDocumentCommand::Do+0x252
0f 00007ffa`af2464cf : 00000000`00000000 000001d9`ba006f70 00000000`00000000 000001d9`b19defe0 : libpersona!PersonaController::StaticDoCommand+0x3a
10 00007ffa`af49f47f : 000001d6`a8457fd0 00000000`00000481 00000000`00000000 000001d9`a8c3ef90 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0xb787f
11 00007ffa`fcc17374 : 00007ffa`af8c2800 00000000`00000000 00000000`00000000 00000000`00000000 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0x31082f
12 00007ffa`fd87cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
13 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:032> lmDvm libpersona
Browse full module list
start end module name
00007ffa`49180000 00007ffa`60abb000 libpersona (export symbols) C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Loaded symbol image file: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image path: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image name: libpersona.dll
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Nov 3 07:34:40 2025 (6908CB90)
CheckSum: 17822078
ImageSize: 1793B000
Mapping Form: Loaded
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.
See security bulletin on trust.canva.com with the vulnerability details and vulnerable versions. (URL to advisory: https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62)
2026-01-27 - Vendor Disclosure
2026-03-17 - Vendor Patch Release
2026-03-17 - Public Release
Discovered by KPC of Cisco Talos.