SB2026031845 - Multiple vulnerabilities in Canva Affinity



SB2026031845 - Multiple vulnerabilities in Canva Affinity

Published: March 18, 2026

Security Bulletin ID SB2026031845
CSH Severity
High
Patch available
YES
Number of vulnerabilities 19
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 11% Medium 84% Low 5%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 19 vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2025-62500)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within nDescription field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


2) Out-of-bounds read (CVE-ID: CVE-2025-64733)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within offBmi field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


3) Out-of-bounds read (CVE-ID: CVE-2025-65119)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


4) Out-of-bounds read (CVE-ID: CVE-2026-22882)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


5) Out-of-bounds read (CVE-ID: CVE-2025-62403)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within offDx field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


6) Type Confusion (CVE-ID: CVE-2025-66342)

CWE-ID: CWE-843 - Type confusion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in the EMF functionality within EMR_FRAMERGN record type. A remote attacker can trick a victim to open a specially crafted EMF file, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


7) Out-of-bounds read (CVE-ID: CVE-2025-66042)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within CountRects field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


8) Out-of-bounds write (CVE-ID: CVE-2025-64301)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error in the EMF functionality within the DIBHeaderInfo field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.


9) Out-of-bounds read (CVE-ID: CVE-2025-64776)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within offBmiSrc field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


10) Out-of-bounds read (CVE-ID: CVE-2025-66503)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


11) Out-of-bounds read (CVE-ID: CVE-2025-47873)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


12) Out-of-bounds read (CVE-ID: CVE-2025-66617)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


13) Out-of-bounds read (CVE-ID: CVE-2025-58427)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within offDx field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


14) Out-of-bounds read (CVE-ID: CVE-2026-20726)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


15) Out-of-bounds read (CVE-ID: CVE-2025-66633)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within cbBitsSrc field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


16) Out-of-bounds read (CVE-ID: CVE-2025-64735)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within offBmiSrc field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


17) Out-of-bounds read (CVE-ID: CVE-2025-66000)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


18) Out-of-bounds read (CVE-ID: CVE-2025-61979)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within the offDescription field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


19) Out-of-bounds read (CVE-ID: CVE-2025-61952)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the EMF functionality within the Count field. A remote attacker can create a specially crafted EMF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, or perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.