SB2026031845 - Multiple vulnerabilities in Canva Affinity
Published: March 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 19 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2025-62500)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within nDescription field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
2) Out-of-bounds read (CVE-ID: CVE-2025-64733)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within offBmi field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
3) Out-of-bounds read (CVE-ID: CVE-2025-65119)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
4) Out-of-bounds read (CVE-ID: CVE-2026-22882)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
5) Out-of-bounds read (CVE-ID: CVE-2025-62403)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within offDx field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
6) Type Confusion (CVE-ID: CVE-2025-66342)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in the EMF functionality within EMR_FRAMERGN record type. A remote attacker can trick a victim to open a specially crafted EMF file, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Out-of-bounds read (CVE-ID: CVE-2025-66042)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within CountRects field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
8) Out-of-bounds write (CVE-ID: CVE-2025-64301)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in the EMF functionality within the DIBHeaderInfo field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
9) Out-of-bounds read (CVE-ID: CVE-2025-64776)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within offBmiSrc field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
10) Out-of-bounds read (CVE-ID: CVE-2025-66503)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
11) Out-of-bounds read (CVE-ID: CVE-2025-47873)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
12) Out-of-bounds read (CVE-ID: CVE-2025-66617)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
13) Out-of-bounds read (CVE-ID: CVE-2025-58427)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within offDx field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
14) Out-of-bounds read (CVE-ID: CVE-2026-20726)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
15) Out-of-bounds read (CVE-ID: CVE-2025-66633)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within cbBitsSrc field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
16) Out-of-bounds read (CVE-ID: CVE-2025-64735)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within offBmiSrc field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
17) Out-of-bounds read (CVE-ID: CVE-2025-66000)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
18) Out-of-bounds read (CVE-ID: CVE-2025-61979)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within the offDescription field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
19) Out-of-bounds read (CVE-ID: CVE-2025-61952)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the EMF functionality within the Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2298
- https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2300
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2320
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2325
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2321
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2297
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2319
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2310
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2311
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2318
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2316
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2315
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2314
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2324
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2313
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2312
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2301
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2299
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2317