CVE-2026-22882
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Canva Affinity 3.0.1.3808
Affinity - https://www.affinity.studio/
6.1 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
CWE-125 - Out-of-bounds Read
Affinity is a professional and versatile suite of creative applications designed for graphic design, photo editing, and desktop publishing. It provides a fast, streamlined experience with powerful tools to create illustrations, edit images, and design print or digital layouts. The suite is widely regarded as a capable and affordable alternative the software like Adobe Creative Cloud.
Affinity applications support the EMF file format, and this vulnerability is associated with how EMF files are processed.
An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:
Offset Size Name
------ ---- --------------------------------------
0x00 0x04 recordType (0x00000001 )
0x04 0x04 recordSize
0x08 0x10 bounds
0x18 0x10 frame
0x28 0x04 recordSignature (0x464D4520)
0x2C 0x04 version
0x30 0x04 sizeInBytes
0x34 0x04 numOfRecords
0x38 0x02 Handles
0x3A 0x02 Reserved
Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.
For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.
This vulnerability is associated with the record type EMR_POLYPOLYLINE.
The EMR_POLYPOLYLINE record draws multiple series of connected line segments. Its structure is defined as follows:
Offset Size Name
----- ---------- --------------------------------------
0x00 0x04 recordType (0x00000007)
0x04 0x04 recordSize
0x08 0x10 Bounds
0x18 0x04 NumberOfPolylines (P)
0x1C 0x04 Count (N)
0x20 0x04*P aPolylinePointCount
0x20+(04*P) 0x08*N aPoints
For the EMR_POLYPOLYLINE record, the recordType value must be 0x00000007. The Count field specifies the number of PointL objects in the aPoints field. The aPoints field is an array whose size is equal to Count.
This vulnerability occurs when the value of (0x20 + (4 * P) + ( 8 * N)) exceeds recordSize. When this condition is met, an out‑of‑bounds read can occur during access to the aPoints array. This behavior can be observed while debugging with pageheap enabled.
0:039> g
Breakpoint 0 hit
libpersona!Emf::EmfLoader::LoadDocument+0x3a3fa:
00007ffa`4ef0857a 8b4740 mov eax,dword ptr [rdi+40h] ds:000001d6`d4830040=0000006c
0:032> bp 00007FFA4EF1837E
0:032> g
Breakpoint 1 hit
libpersona!Emf::EmfLoader::LoadDocument+0x4a1fe:
00007ffa`4ef1837e 4c8bea mov r13,rdx
0:032> r
rax=00007ffa5d93ada0 rbx=000001d6d4830124 rcx=00000020aa9ff390
rdx=000001d6d4830124 rsi=000001d9beaacd20 rdi=00000020aa9ff2d0
rip=00007ffa4ef1837e rsp=00000020aa9fefe0 rbp=00000020aa9ff060
r8=000001d995786ff0 r9=0000000000000002 r10=0000000000000000
r11=00000020aa9fef60 r12=00007ffa4ef1fe80 r13=000001d6d4830000
r14=0000000000000001 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
libpersona!Emf::EmfLoader::LoadDocument+0x4a1fe:
00007ffa`4ef1837e 4c8bea mov r13,rdx
0:032> dd 000001d6d4830124 ;<---------------------------------------- (1)
000001d6`d4830124 00000007 00000094 0000005e 00000252
000001d6`d4830134 00000c00 00006c00 00000000 0009f600
000001d6`d4830144 000ce400 0000d800 00011700 00000000
000001d6`d4830154 00000000 00000000 034b5c00 04436800
000001d6`d4830164 72005000 6e006900 20007400 65007400
000001d6`d4830174 74007300 00000000 00002500 00000c00
000001d6`d4830184 00000700 00002580 00000c00 00000000
000001d6`d4830194 00002580 00000c00 00000e00 00001b80
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a201:
00007ffa`4ef18381 e84a91ffff call libpersona!Emf::EmfLoader::LoadDocument+0x43350 (00007ffa`4ef114d0)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a206:
00007ffa`4ef18386 0f57c0 xorps xmm0,xmm0
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a209:
00007ffa`4ef18389 f30f7f45c8 movdqu xmmword ptr [rbp-38h],xmm0 ss:00000020`aa9ff028=000001d978506fd000007ffa4ef0dd98
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a20e:
00007ffa`4ef1838e 4533e4 xor r12d,r12d
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a211:
00007ffa`4ef18391 458bc4 mov r8d,r12d
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a214:
00007ffa`4ef18394 4c8965d8 mov qword ptr [rbp-28h],r12 ss:00000020`aa9ff038=000001d600000000
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a218:
00007ffa`4ef18398 418b4518 mov eax,dword ptr [r13+18h] ds:000001d6`d483013c=00000000 ;<---------------------------------------- (2)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a21c:
00007ffa`4ef1839c 4885c0 test rax,rax
0:032> bp 00007FFA4EF18650
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a21f:
00007ffa`4ef1839f 0f848c000000 je libpersona!Emf::EmfLoader::LoadDocument+0x4a2b1 (00007ffa`4ef18431) [br=1]
0:032> g
Breakpoint 2 hit
libpersona!Emf::EmfLoader::LoadDocument+0x4a4d0:
00007ffa`4ef18650 4c8d248520000000 lea r12,[rax*4+20h] ;<---------------------------------------- (3)
0:032> r
rax=0000000000000000 rbx=000001d9d5cf0fe0 rcx=000001d9d66e6fe0
rdx=0000000000000000 rsi=000001d9d5cf0fe0 rdi=0000000000000000
rip=00007ffa4ef18650 rsp=00000020aa9fefe0 rbp=00000020aa9ff060
r8=0000000000000000 r9=00007ffafa1e120e r10=00007ffafa1d0000
r11=0000000000000246 r12=0000000000000000 r13=000001d6d4830124
r14=0000000000000000 r15=00000000009f6000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
libpersona!Emf::EmfLoader::LoadDocument+0x4a4d0:
00007ffa`4ef18650 4c8d248520000000 lea r12,[rax*4+20h]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a4d8:
00007ffa`4ef18658 4d03e5 add r12,r13 ;<---------------------------------------- (4)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a4db:
00007ffa`4ef1865b 4533ed xor r13d,r13d
0:032> r
rax=0000000000000000 rbx=000001d9d5cf0fe0 rcx=000001d9d66e6fe0
rdx=0000000000000000 rsi=000001d9d5cf0fe0 rdi=0000000000000000
rip=00007ffa4ef1865b rsp=00000020aa9fefe0 rbp=00000020aa9ff060
r8=0000000000000000 r9=00007ffafa1e120e r10=00007ffafa1d0000
r11=0000000000000246 r12=000001d6d4830144 r13=000001d6d4830124
r14=0000000000000000 r15=00000000009f6000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
libpersona!Emf::EmfLoader::LoadDocument+0x4a4db:
00007ffa`4ef1865b 4533ed xor r13d,r13d
0:032> dd 000001d6d4830144 ;<---------------------------------------- (5)
000001d6`d4830144 000ce400 0000d800 00011700 00000000
000001d6`d4830154 00000000 00000000 034b5c00 04436800
000001d6`d4830164 72005000 6e006900 20007400 65007400
000001d6`d4830174 74007300 00000000 00002500 00000c00
000001d6`d4830184 00000700 00002580 00000c00 00000000
000001d6`d4830194 00002580 00000c00 00000e00 00001b80
000001d6`d48301a4 00001000 00000000 00000000 00000d00
000001d6`d48301b4 00001000 00000000 00000000 00006200
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a4de:
00007ffa`4ef1865e 488b4548 mov rax,qword ptr [rbp+48h] ss:00000020`aa9ff0a8=000001d6d4830124
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a4e2:
00007ffa`4ef18662 4439681c cmp dword ptr [rax+1Ch],r13d ds:000001d6`d4830140=0009f600 ;<------------------------------------ (6)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a4e6:
00007ffa`4ef18666 0f8683010000 jbe libpersona!Emf::EmfLoader::LoadDocument+0x4a66f (00007ffa`4ef187ef) [br=0]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a4ec:
00007ffa`4ef1866c 49b8ffffffffffffff0f mov r8,0FFFFFFFFFFFFFFFh
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a4f6:
00007ffa`4ef18676 66660f1f840000000000 nop word ptr [rax+rax]
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a500:
00007ffa`4ef18680 410fbf442402 movsx eax,word ptr [r12+2] ds:000001d6`d4830146=000c ;<---------------------------------------- (7)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a506:
00007ffa`4ef18686 660f6ef0 movd xmm6,eax
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a50a:
00007ffa`4ef1868a f30fe6f6 cvtdq2pd xmm6,xmm6
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a50e:
00007ffa`4ef1868e 410fbf0424 movsx eax,word ptr [r12] ds:000001d6`d4830144=e400 ;<---------------------------------------- (8)
0:032> p
libpersona!Emf::EmfLoader::LoadDocument+0x4a513:
00007ffa`4ef18693 660f6ef8 movd xmm7,eax
0:032> u
libpersona!Emf::EmfLoader::LoadDocument+0x4a513:
00007ffa`4ef18693 660f6ef8 movd xmm7,eax
00007ffa`4ef18697 f30fe6ff cvtdq2pd xmm7,xmm7
00007ffa`4ef1869b 4c8bf3 mov r14,rbx
00007ffa`4ef1869e 483bd9 cmp rbx,rcx
00007ffa`4ef186a1 7438 je libpersona!Emf::EmfLoader::LoadDocument+0x4a55b (00007ffa`4ef186db)
00007ffa`4ef186a3 f20f113b movsd mmword ptr [rbx],xmm7
00007ffa`4ef186a7 f20f117308 movsd mmword ptr [rbx+8],xmm6
00007ffa`4ef186ac 488b5db8 mov rbx,qword ptr [rbp-48h]
The contents of the EMR_POLYPOLYLINE record are examined at (1). The rax register at (2) contains the NumberOfPolylines value, which is used to compute the offset of the aPoints field at (3). This offset is added at (4) to the base address of the buffer containing the EMR_POLYPOLYLINE record to obtain the address of aPoints. The contents of the aPoints buffer are examined at (5).
At (6), the code verifies that Count is non‑zero. If it is, a loop begins at (7) that runs Count times and reads PointL objects at (7) and (8). However, it can be observed that the application reads PointS objects instead of PointL at these locations, which means the vulnerability can be triggered when the value of (0x20 + (4 * P) + (4 * N)) exceeds recordSize.
In this case, the Count value is excessively large, and continuing the loop results in an out‑of‑bounds read, which becomes evident at the time of the crash.
0:032> g
(1318.1270): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
libpersona!Emf::EmfLoader::LoadDocument+0x4a500:
00007ffa`4ef18680 410fbf442402 movsx eax,word ptr [r12+2] ds:000001d6`d4831002=????
0:032> r
rax=000001d6d4830124 rbx=000001d9d5cf4ad0 rcx=000001d9d66e6fe0
rdx=0000000000000000 rsi=000001d9d5cf0fe0 rdi=0000000000000000
rip=00007ffa4ef18680 rsp=00000020aa9fefe0 rbp=00000020aa9ff060
r8=0fffffffffffffff r9=00007ffafa1e120e r10=00007ffafa1d0000
r11=0000000000000246 r12=000001d6d4831000 r13=00000000000003af
r14=000001d9d5cf4ac0 r15=00000000009f6000
iopl=0 nv up ei ng nz na po cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010287
libpersona!Emf::EmfLoader::LoadDocument+0x4a500:
00007ffa`4ef18680 410fbf442402 movsx eax,word ptr [r12+2] ds:000001d6`d4831002=????
0:032> dd 000001d6d4831000
000001d6`d4831000 ???????? ???????? ???????? ????????
000001d6`d4831010 ???????? ???????? ???????? ????????
000001d6`d4831020 ???????? ???????? ???????? ????????
000001d6`d4831030 ???????? ???????? ???????? ????????
000001d6`d4831040 ???????? ???????? ???????? ????????
000001d6`d4831050 ???????? ???????? ???????? ????????
000001d6`d4831060 ???????? ???????? ???????? ????????
000001d6`d4831070 ???????? ???????? ???????? ????????
0:032> u
libpersona!Emf::EmfLoader::LoadDocument+0x4a500:
00007ffa`4ef18680 410fbf442402 movsx eax,word ptr [r12+2]
00007ffa`4ef18686 660f6ef0 movd xmm6,eax
00007ffa`4ef1868a f30fe6f6 cvtdq2pd xmm6,xmm6
00007ffa`4ef1868e 410fbf0424 movsx eax,word ptr [r12]
00007ffa`4ef18693 660f6ef8 movd xmm7,eax
00007ffa`4ef18697 f30fe6ff cvtdq2pd xmm7,xmm7
00007ffa`4ef1869b 4c8bf3 mov r14,rbx
00007ffa`4ef1869e 483bd9 cmp rbx,rcx
0:032> kb
# RetAddr : Args to Child : Call Site
00 00007ffa`4ef2000f : 00000020`aa9ff390 000001d6`d4830124 000001d9`6d5f7fd0 000001d6`d4830124 : libpersona!Emf::EmfLoader::LoadDocument+0x4a500
01 00007ffa`4ef1fe9c : 00000020`aa9ff390 00000000`00000124 00000000`0000000f 000021d8`00000004 : libpersona!Emf::EmfLoader::LoadDocument+0x51e8f
02 00007ffa`faf0e73f : 00000000`00000124 000001d9`beaacd20 000001d6`af810000 000001d6`af810000 : libpersona!Emf::EmfLoader::LoadDocument+0x51d1c
03 00007ffa`fc56d432 : 000001d9`76870fd0 00000020`00000000 000001d9`76870fd0 00000000`00000000 : gdi32full!bInternalPlayEMF+0x250bf
04 00007ffa`4ef215ce : 00000000`00000000 00000020`aa9ff3f0 00000020`aa9ff670 000001d6`e2a4ff90 : GDI32!EnumEnhMetaFileStub+0x52
05 00007ffa`4eecdb56 : 00000020`aa9ff390 00000020`aa9ff320 00000000`00000000 00007ffa`fd881910 : libpersona!Emf::EmfLoader::LoadDocument+0x5344e
06 00007ffa`4eece041 : 000001d6`e2a4ff90 000001d9`beaacd20 000001d6`e2a4ff90 00000020`aa9ff670 : libpersona!Emf::EmfLoader::LoadDocument+0x86
07 00007ffa`4eece2ab : 00000020`aa9ff708 000001d6`e2a4ff90 00000020`aa9ff670 00000020`aa9ff720 : libpersona!Emf::EmfLoader::LoadDocument+0x101
08 00007ffa`4eece124 : 000001d9`b5b2c740 00000020`aa9ff708 00000020`aa9ff6d8 00000020`aa9ff751 : libpersona!Emf::EmfLoader::LoadDocument+0x12b
09 00007ffa`4ec83a94 : 000001d9`bd296fb0 000001d9`b5b2c740 00000020`aa9ff7b0 00000020`aa9ffa78 : libpersona!Emf::EmfLoader::LoadDocument+0x94
0a 00007ffa`4ec5088f : 000001d9`b5b2c740 00000000`00000000 00000000`00000000 00000000`ffffff00 : libpersona!DocumentController::TryLoadEMF+0xc4
0b 00007ffa`4ec4eacc : 00000000`00000000 000001d9`00000001 00000000`00000000 00000000`00000000 : libpersona!DocumentController::LoadDocumentI+0xfaf
0c 00007ffa`51283602 : 000001d9`a4ed6690 00000000`00000000 000001d9`bb0f0f70 00000000`00000000 : libpersona!DocumentController::LoadDocument+0x8c
0d 00007ffa`52a96cea : 000001d9`a4ed66c8 000001d9`af8baf00 00007ffa`af8c2800 00000000`00000000 : libpersona!LoadDocumentCommand::Do+0x252
0e 00007ffa`af2464cf : 00000000`00000000 000001d9`bb0f0f70 00000000`00000000 000001d9`b1b92fe0 : libpersona!PersonaController::StaticDoCommand+0x3a
0f 00007ffa`af49f47f : 000001d9`ba54cfd0 00000000`00000481 00000000`00000000 000001d9`a8c3ef90 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0xb787f
10 00007ffa`fcc17374 : 00007ffa`af8c2800 00000000`00000000 00000000`00000000 00000000`00000000 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0x31082f
11 00007ffa`fd87cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
12 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:032> lmDvm libpersona
Browse full module list
start end module name
00007ffa`49180000 00007ffa`60abb000 libpersona (export symbols) C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Loaded symbol image file: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image path: C:\Program Files\WindowsApps\Canva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4\App\libpersona.dll
Image name: libpersona.dll
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Nov 3 07:34:40 2025 (6908CB90)
CheckSum: 17822078
ImageSize: 1793B000
Mapping Form: Loaded
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.
See security bulletin on trust.canva.com with the vulnerability details and vulnerable versions. (URL to advisory: https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62)
2026-01-27 - Vendor Disclosure
2026-03-17 - Vendor Patch Release
2026-03-17 - Public Release
Discovered by KPC of Cisco Talos.