CVE-2025-62500
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Canva Affinity 3.0.1.3808
Affinity – https://www.affinity.studio/
6.1 – CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
CWE-125 – Out-of-bounds Read
Affinity is a professional and versatile suite of creative applications designed for graphic design, photo editing, and desktop publishing. It provides a fast, streamlined experience with powerful tools to create illustrations, edit images, and design print or digital layouts. The suite is widely regarded as a capable and affordable alternative the software like Adobe Creative Cloud.
Affinity applications support the EMF file format, and this vulnerability is associated with how EMF files are processed.
An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header ( `EMR_HEADER`) that contains information about the structure and contents of the metafile. The structure of the `EMR_HEADER` is as follows:
“`
Offset Size Name —— —- ————————————– 0x00 0x04 recordType (0x00000001 ) 0x04 0x04 recordSize 0x08 0x10 bounds 0x18 0x10 frame 0x28 0x04 recordSignature (0x464D4520) 0x2C 0x04 version 0x30 0x04 sizeInBytes 0x34 0x04 numOfRecords 0x38 0x02 Handles 0x3A 0x02 Reserved 0x3C 0x04 nDescription 0x40 0x04 offDescription 0x44 0x04 PalEntries
“`
Please note that the structure of `EMR_HEADER` shown is not complete; it only includes the relevant fields.
For the `EMR_HEADER` record, the `recordType` must be `0x00000001`. The `recordSize` indicates the total size of the header record in bytes. The `recordSignature` field defines the record signature, which must have the value `0x464D4520` ( `FME` ). The `sizeInBytes` field specifies the size of the metafile in bytes. The `numOfRecords` indicates the total number of records present in the metafile, including the `EMR_HEADER`.
The `nDescription` and `offDescription` fields define the `EmfDescription`. `EmfDescription` is a null‑terminated Unicode string of arbitrary length. The `nDescription` field specifies the number of characters in the `EmfDescription`, and the `offDescription` field specifies the offset from the beginning of the `EMR_HEADER` record to the array that contains the `EmfDescription`.
This vulnerability occurs because the value of `nDescription` is not validated. If `(offDescription + nDescription)` is greater than the `recordSize` field, then an out‑of‑bounds read occurs when accessing the `EmfDescription`. This behavior can be observed while debugging with pageheap enabled.
“`
0:039> g Breakpoint 0 hit libpersona!Emf::EmfLoader::LoadDocument+0x3a3fa: 00007ffa`4ef0857a 8b4740 mov eax,dword ptr [rdi+40h] ds:000001d6`d4830040=0000006c ;<—————- (1) 0:032> r rax=00000020aa9ff4b0 rbx=000001d9ab76e580 rcx=000001d9ab698ff0 rdx=00000020aa9ff4b8 rsi=000001d9c3b34d20 rdi=000001d6d4830000 rip=00007ffa4ef0857a rsp=00000020aa9ff040 rbp=00000020aa9ff390 r8=0000000000000000 r9=0000000000000010 r10=000001d999ff4ff0 r11=000001d999ff4ff0 r12=00007ffa4ef1fe80 r13=000001d6d4830000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 libpersona!Emf::EmfLoader::LoadDocument+0x3a3fa: 00007ffa`4ef0857a 8b4740 mov eax,dword ptr [rdi+40h] ds:000001d6`d4830040=0000006c 0:032> db 000001d6d4830000 ;<—————- (2) 000001d6`d4830000 01 00 00 00 c0 00 00 00-64 00 00 00 64 00 00 00 ……..d…d… 000001d6`d4830010 1e 02 00 00 77 02 00 00-00 00 00 00 00 00 00 00 ….w……….. 000001d6`d4830020 20 03 00 00 58 02 00 00-20 45 4d 46 00 00 01 00 …X… EMF…. 000001d6`d4830030 64 02 00 00 15 00 00 00-02 fb ee 28 00 00 00 29 d……….(…) 000001d6`d4830040 6c 00 00 00 00 00 00 00-00 00 00 00 0a 00 00 38 l…………..8 000001d6`d4830050 04 00 00 1e 03 00 00 4e-01 00 00 00 00 00 00 00 …….N…….. 000001d6`d4830060 00 00 00 00 00 00 00 30-2d 0c 00 b0 18 05 00 54 …….0-……T 000001d6`d4830070 00 72 00 61 00 6e 00 73-00 66 00 6f 00 72 00 6d .r.a.n.s.f.o.r.m 0:032> t libpersona!Emf::EmfLoader::LoadDocument+0x3a3fd: 00007ffa`4ef0857d 85c0 test eax,eax 0:032> t libpersona!Emf::EmfLoader::LoadDocument+0x3a3ff: 00007ffa`4ef0857f 0f841c010000 je libpersona!Emf::EmfLoader::LoadDocument+0x3a521 (00007ffa`4ef086a1) [br=0] 0:032> t libpersona!Emf::EmfLoader::LoadDocument+0x3a405: 00007ffa`4ef08585 8b773c mov esi,dword ptr [rdi+3Ch] ds:000001d6`d483003c=29000000 ;<—————- (3) 0:032> t libpersona!Emf::EmfLoader::LoadDocument+0x3a408: 00007ffa`4ef08588 85f6 test esi,esi
“`
At `(1)`, `offDescription` is read and stored in the `eax` register. The contents of the `EMR_HEADER` record are examined at `(2)`. Note that the size of the `EMR_HEADER` record is `0xC0`. At `(3)`, `nDescription` is read, and its value is larger than the total size of the `EMR_HEADER` record.
“`
0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a40a: 00007ffa`4ef0858a 0f8411010000 je libpersona!Emf::EmfLoader::LoadDocument+0x3a521 (00007ffa`4ef086a1) [br=0] 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a410: 00007ffa`4ef08590 448be0 mov r12d,eax 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a413: 00007ffa`4ef08593 4c03e7 add r12,rdi 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a416: 00007ffa`4ef08596 0f8405010000 je libpersona!Emf::EmfLoader::LoadDocument+0x3a521 (00007ffa`4ef086a1) [br=0] 0:032> r rax=000000000000006c rbx=000001d9ab76e580 rcx=000001d9ab698ff0 rdx=00000020aa9ff4b8 rsi=0000000029000000 rdi=000001d6d4830000 rip=00007ffa4ef08596 rsp=00000020aa9ff040 rbp=00000020aa9ff390 r8=0000000000000000 r9=0000000000000010 r10=000001d999ff4ff0 r11=000001d999ff4ff0 r12=000001d6d483006c r13=000001d6d4830000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 libpersona!Emf::EmfLoader::LoadDocument+0x3a416: 00007ffa`4ef08596 0f8405010000 je libpersona!Emf::EmfLoader::LoadDocument+0x3a521 (00007ffa`4ef086a1) [br=0] 0:032> db 000001d6d483006c ;<—————- (4) 000001d6`d483006c 18 05 00 54 00 72 00 61-00 6e 00 73 00 66 00 6f …T.r.a.n.s.f.o 000001d6`d483007c 00 72 00 6d 00 20 00 4f-00 70 00 65 00 72 00 61 .r.m. .O.p.e.r.a 000001d6`d483008c 00 74 00 69 00 6f 00 6e-00 73 00 20 00 45 00 4d .t.i.o.n.s. .E.M 000001d6`d483009c 00 46 00 00 00 54 00 72-00 61 00 6e 00 73 00 66 .F…T.r.a.n.s.f 000001d6`d48300ac 00 6f 00 72 00 6d 00 20-00 44 00 65 00 6d 00 6f .o.r.m. .D.e.m.o 000001d6`d48300bc 00 00 00 00 00 00 00 11-00 00 00 0c 00 00 00 08 ……………. 000001d6`d48300cc 00 00 00 09 00 00 00 10-00 00 00 20 03 00 00 58 ……….. …X 000001d6`d48300dc 02 00 00 0b 00 00 00 10-00 00 00 20 03 00 00 58 ……….. …X 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a41c: 00007ffa`4ef0859c 85f6 test esi,esi 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a41e: 00007ffa`4ef0859e 790d jns libpersona!Emf::EmfLoader::LoadDocument+0x3a42d (00007ffa`4ef085ad) [br=1] 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a42d: 00007ffa`4ef085ad 7521 jne libpersona!Emf::EmfLoader::LoadDocument+0x3a450 (00007ffa`4ef085d0) [br=1] 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a450: 00007ffa`4ef085d0 8d047515000000 lea eax,[rsi*2+15h] 0:032> r rax=000000000000006c rbx=000001d9ab76e580 rcx=000001d9ab698ff0 rdx=00000020aa9ff4b8 rsi=0000000029000000 rdi=000001d6d4830000 rip=00007ffa4ef085d0 rsp=00000020aa9ff040 rbp=00000020aa9ff390 r8=0000000000000000 r9=0000000000000010 r10=000001d999ff4ff0 r11=000001d999ff4ff0 r12=000001d6d483006c r13=000001d6d4830000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 libpersona!Emf::EmfLoader::LoadDocument+0x3a450: 00007ffa`4ef085d0 8d047515000000 lea eax,[rsi*2+15h] ;<——————– (5) 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a457: 00007ffa`4ef085d7 83e0f8 and eax,0FFFFFFF8h 0:032> r rax=0000000052000015 rbx=000001d9ab76e580 rcx=000001d9ab698ff0 rdx=00000020aa9ff4b8 rsi=0000000029000000 rdi=000001d6d4830000 rip=00007ffa4ef085d7 rsp=00000020aa9ff040 rbp=00000020aa9ff390 r8=0000000000000000 r9=0000000000000010 r10=000001d999ff4ff0 r11=000001d999ff4ff0 r12=000001d6d483006c r13=000001d6d4830000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 libpersona!Emf::EmfLoader::LoadDocument+0x3a457: 00007ffa`4ef085d7 83e0f8 and eax,0FFFFFFF8h 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a45a: 00007ffa`4ef085da 8bf8 mov edi,eax 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a45c: 00007ffa`4ef085dc 8bc8 mov ecx,eax 0:032> p rax=0000000052000010 rbx=000001d9ab76e580 rcx=0000000052000010 rdx=00000020aa9ff4b8 rsi=0000000029000000 rdi=0000000052000010 rip=00007ffa4ef085de rsp=00000020aa9ff040 rbp=00000020aa9ff390 r8=0000000000000000 r9=0000000000000010 r10=000001d999ff4ff0 r11=000001d999ff4ff0 r12=000001d6d483006c r13=000001d6d4830000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 libpersona!Emf::EmfLoader::LoadDocument+0x3a45e: 00007ffa`4ef085de e851eb890d call libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x2700b4 (00007ffa`5c7a7134) ;<————————- (6) 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a463: 00007ffa`4ef085e3 488bd8 mov rbx,rax 0:032> r rax=000001d9d5cf0ff0 rbx=000001d9ab76e580 rcx=000000007ffe0380 rdx=00000000000000d0 rsi=0000000029000000 rdi=0000000052000010 rip=00007ffa4ef085e3 rsp=00000020aa9ff040 rbp=00000020aa9ff390 r8=0000000000000000 r9=0000000052000010 r10=000001d9d5cf0ff0 r11=000001d9d5cf0ff0 r12=000001d6d483006c r13=000001d6d4830000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 libpersona!Emf::EmfLoader::LoadDocument+0x3a463: 00007ffa`4ef085e3 488bd8 mov rbx,rax 0:032> db 000001d9d5cf0ff0 ;<————————- (7) 000001d9`d5cf0ff0 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ……………. 000001d9`d5cf1000 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ……………. 000001d9`d5cf1010 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ……………. 000001d9`d5cf1020 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ……………. 000001d9`d5cf1030 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ……………. 000001d9`d5cf1040 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ……………. 000001d9`d5cf1050 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ……………. 000001d9`d5cf1060 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ……………. 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a466: 00007ffa`4ef085e6 448930 mov dword ptr [rax],r14d ds:000001d9`d5cf0ff0=c0c0c0c0
“`
At `(4)`, `offDescription` is added to the pointer to the `EMR_HEADER` record to obtain the address of the source `EmfDescription`. At (5), `nDescription` is used to calculate the size of the `EmfDescription`, and `malloc` is called at `(6)` to allocate the destination `EmfDescription` buffer. The contents of the destination buffer are examined at `(7)`.
“`
0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a469: 00007ffa`4ef085e9 8d47f2 lea eax,[rdi-0Eh] 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a46c: 00007ffa`4ef085ec d1e8 shr eax,1 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a46e: 00007ffa`4ef085ee 894308 mov dword ptr [rbx+8],eax ds:000001d9`d5cf0ff8=c0c0c0c0 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a471: 00007ffa`4ef085f1 48895c2460 mov qword ptr [rsp+60h],rbx ss:00000020`aa9ff0a0=000001d9ab76e580 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a476: 00007ffa`4ef085f6 4c8beb mov r13,rbx 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a479: 00007ffa`4ef085f9 488beb mov rbp,rbx 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a47c: 00007ffa`4ef085fc 4c8bfb mov r15,rbx 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a47f: 00007ffa`4ef085ff 4c8bf3 mov r14,rbx 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a482: 00007ffa`4ef08602 4885db test rbx,rbx 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a485: 00007ffa`4ef08605 7403 je libpersona!Emf::EmfLoader::LoadDocument+0x3a48a (00007ffa`4ef0860a) [br=0] 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a487: 00007ffa`4ef08607 f0ff03 lock inc dword ptr [rbx] ds:000001d9`d5cf0ff0=00000000 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a48a: 00007ffa`4ef0860a 41897504 mov dword ptr [r13+4],esi ds:000001d9`d5cf0ff4=c0c0c0c0 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a48e: 00007ffa`4ef0860e 4863fe movsxd rdi,esi 0:032> p libpersona!Emf::EmfLoader::LoadDocument+0x3a491: 00007ffa`4ef08611 4c8d043f lea r8,[rdi+rdi] ;<————————- (8) 0:032> r rax=0000000029000001 rbx=000001d9d5cf0ff0 rcx=000000007ffe0380 rdx=00000000000000d0 rsi=0000000029000000 rdi=0000000029000000 rip=00007ffa4ef08611 rsp=00000020aa9ff040 rbp=000001d9d5cf0ff0 r8=0000000000000000 r9=0000000052000010 r10=000001d9d5cf0ff0 r11=000001d9d5cf0ff0 r12=000001d6d483006c r13=000001d9d5cf0ff0 r14=000001d9d5cf0ff0 r15=000001d9d5cf0ff0 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 libpersona!Emf::EmfLoader::LoadDocument+0x3a491: 00007ffa`4ef08611 4c8d043f lea r8,[rdi+rdi] 0:032> p;r rax=0000000029000001 rbx=000001d9d5cf0ff0 rcx=000000007ffe0380 rdx=00000000000000d0 rsi=0000000029000000 rdi=0000000029000000 rip=00007ffa4ef08615 rsp=00000020aa9ff040 rbp=000001d9d5cf0ff0 r8=0000000052000000 r9=0000000052000010 r10=000001d9d5cf0ff0 r11=000001d9d5cf0ff0 r12=000001d6d483006c r13=000001d9d5cf0ff0 r14=000001d9d5cf0ff0 r15=000001d9d5cf0ff0 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 libpersona!Emf::EmfLoader::LoadDocument+0x3a495: 00007ffa`4ef08615 498bd4 mov rdx,r12 ;<————————- (9) 0:032> p;r rax=0000000029000001 rbx=000001d9d5cf0ff0 rcx=000000007ffe0380 rdx=000001d6d483006c rsi=0000000029000000 rdi=0000000029000000 rip=00007ffa4ef08618 rsp=00000020aa9ff040 rbp=000001d9d5cf0ff0 r8=0000000052000000 r9=0000000052000010 r10=000001d9d5cf0ff0 r11=000001d9d5cf0ff0 r12=000001d6d483006c r13=000001d9d5cf0ff0 r14=000001d9d5cf0ff0 r15=000001d9d5cf0ff0 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 libpersona!Emf::EmfLoader::LoadDocument+0x3a498: 00007ffa`4ef08618 498d4d0c lea rcx,[r13+0Ch] ;<————————- (10) 0:032> p;r rax=0000000029000001 rbx=000001d9d5cf0ff0 rcx=000001d9d5cf0ffc rdx=000001d6d483006c rsi=0000000029000000 rdi=0000000029000000 rip=00007ffa4ef0861c rsp=00000020aa9ff040 rbp=000001d9d5cf0ff0 r8=0000000052000000 r9=0000000052000010 r10=000001d9d5cf0ff0 r11=000001d9d5cf0ff0 r12=000001d6d483006c r13=000001d9d5cf0ff0 r14=000001d9d5cf0ff0 r15=000001d9d5cf0ff0 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 libpersona!Emf::EmfLoader::LoadDocument+0x3a49c: 00007ffa`4ef0861c e8c9138a0d call libpersona!WhiteBalanceAdjustmentRasterNode::__GetDefaultSerialisation+0x27296a (00007ffa`5c7a99ea) ;<————————- (11) 0:032> db 000001d6d483006c 000001d6`d483006c 18 05 00 54 00 72 00 61-00 6e 00 73 00 66 00 6f …T.r.a.n.s.f.o 000001d6`d483007c 00 72 00 6d 00 20 00 4f-00 70 00 65 00 72 00 61 .r.m. .O.p.e.r.a 000001d6`d483008c 00 74 00 69 00 6f 00 6e-00 73 00 20 00 45 00 4d .t.i.o.n.s. .E.M 000001d6`d483009c 00 46 00 00 00 54 00 72-00 61 00 6e 00 73 00 66 .F…T.r.a.n.s.f 000001d6`d48300ac 00 6f 00 72 00 6d 00 20-00 44 00 65 00 6d 00 6f .o.r.m. .D.e.m.o 000001d6`d48300bc 00 00 00 00 00 00 00 11-00 00 00 0c 00 00 00 08 ……………. 000001d6`d48300cc 00 00 00 09 00 00 00 10-00 00 00 20 03 00 00 58 ……….. …X 000001d6`d48300dc 02 00 00 0b 00 00 00 10-00 00 00 20 03 00 00 58 ……….. …X
“`
At `(11)`, `memcpy` is called to copy the `EmfDescription` from the `EMR_HEADER` to the destination `EmfDescription` buffer. The `nDescription` value at `(8)` is used to calculate the number of bytes to be copied from the source buffer at `(9)` to the destination buffer at `(10)`. Because `nDescription` is arbitrarily larger than the record size, an out‑of‑bounds read occurs during this `memcpy` operation. This can be observed at the time of the crash.
“`
0:032> g (1318.1270): Access violation – code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. VCRUNTIME140!memcpy+0x326: 00007ffa`fa1e1506 c5fe6f8a80000000 vmovdqu ymm1,ymmword ptr [rdx+80h] ds:000001d6`d4830ff0=00 dq 000001d6`d4830ff0 000001d6`d4830ff0 00000000`00000000 00000000`00000000 000001d6`d4831000 ????????`???????? ????????`???????? 000001d6`d4831010 ????????`???????? ????????`???????? 000001d6`d4831020 ????????`???????? ????????`???????? 000001d6`d4831030 ????????`???????? ????????`???????? 000001d6`d4831040 ????????`???????? ????????`???????? 000001d6`d4831050 ????????`???????? ????????`???????? 000001d6`d4831060 ????????`???????? ????????`???????? 0:032> u VCRUNTIME140!memcpy+0x326 [D:a_work1ssrcvctoolscrtvcruntimesrcstringamd64memcpy.asm @ 442]: 00007ffa`fa1e1506 c5fe6f8a80000000 vmovdqu ymm1,ymmword ptr [rdx+80h] 00007ffa`fa1e150e c5fe6f92a0000000 vmovdqu ymm2,ymmword ptr [rdx+0A0h] 00007ffa`fa1e1516 c5fe6f9ac0000000 vmovdqu ymm3,ymmword ptr [rdx+0C0h] 00007ffa`fa1e151e c5fe6fa2e0000000 vmovdqu ymm4,ymmword ptr [rdx+0E0h] 00007ffa`fa1e1526 c5fde78980000000 vmovntdq ymmword ptr [rcx+80h],ymm1 00007ffa`fa1e152e c5fde791a0000000 vmovntdq ymmword ptr [rcx+0A0h],ymm2 00007ffa`fa1e1536 c5fde799c0000000 vmovntdq ymmword ptr [rcx+0C0h],ymm3 00007ffa`fa1e153e c5fde7a1e0000000 vmovntdq ymmword ptr [rcx+0E0h],ymm4 0:032> kb # RetAddr : Args to Child : Call Site 00 00007ffa`4ef08621 : 000001d9`ab76e580 001fff0d`0000001f 000001d6`d4830000 00000000`00010000 : VCRUNTIME140!memcpy+0x326 [D:a_work1ssrcvctoolscrtvcruntimesrcstringamd64memcpy.asm @ 442] 01 00007ffa`4ef1ff01 : 000001d9`d5cf0ff0 00000020`aa9ff4b0 000001d6`d4830000 00000000`00000010 : libpersona!Emf::EmfLoader::LoadDocument+0x3a4a1 02 00007ffa`4ef1fe9c : 00000020`aa9ff390 00000000`00000000 00000000`0000000f 000021d8`00000004 : libpersona!Emf::EmfLoader::LoadDocument+0x51d81 03 00007ffa`faf0e73f : 00000000`00000000 000001d9`c3b34d20 000001d6`af810000 000001d6`af810000 : libpersona!Emf::EmfLoader::LoadDocument+0x51d1c 04 00007ffa`fc56d432 : 000001d9`83d36fd0 00000020`00000000 000001d9`83d36fd0 00000000`00000000 : gdi32full!bInternalPlayEMF+0x250bf 05 00007ffa`4ef215ce : 00000000`00000000 00000020`aa9ff3f0 00000020`aa9ff670 000001d9`c314af90 : GDI32!EnumEnhMetaFileStub+0x52 06 00007ffa`4eecdb56 : 00000020`aa9ff390 00000020`aa9ff320 00000000`00000000 00007ffa`fd881910 : libpersona!Emf::EmfLoader::LoadDocument+0x5344e 07 00007ffa`4eece041 : 000001d9`c314af90 000001d9`c3b34d20 000001d9`c314af90 00000020`aa9ff670 : libpersona!Emf::EmfLoader::LoadDocument+0x86 08 00007ffa`4eece2ab : 00000020`aa9ff708 000001d9`c314af90 00000020`aa9ff670 00000020`aa9ff720 : libpersona!Emf::EmfLoader::LoadDocument+0x101 09 00007ffa`4eece124 : 000001d9`a5d2e740 00000020`aa9ff708 00000020`aa9ff6d8 00000020`aa9ff751 : libpersona!Emf::EmfLoader::LoadDocument+0x12b 0a 00007ffa`4ec83a94 : 000001d9`c276cf90 000001d9`a5d2e740 00000020`aa9ff7b0 00000020`aa9ffa78 : libpersona!Emf::EmfLoader::LoadDocument+0x94 0b 00007ffa`4ec5088f : 000001d9`a5d2e740 00000000`00000000 00000000`00000000 00000000`ffffff00 : libpersona!DocumentController::TryLoadEMF+0xc4 0c 00007ffa`4ec4eacc : 00000000`00000000 000001d9`00000001 00000000`00000000 00000000`00000000 : libpersona!DocumentController::LoadDocumentI+0xfaf 0d 00007ffa`51283602 : 000001d9`bf18c690 00000000`00000000 000001d9`9c28ef70 00000000`00000000 : libpersona!DocumentController::LoadDocument+0x8c 0e 00007ffa`52a96cea : 000001d9`bf18c6c8 000001d9`b422ef00 00007ffa`af8c2800 00000000`00000000 : libpersona!LoadDocumentCommand::Do+0x252 0f 00007ffa`af2464cf : 00000000`00000000 000001d9`9c28ef70 00000000`00000000 000001d9`7d016fe0 : libpersona!PersonaController::StaticDoCommand+0x3a 10 00007ffa`af49f47f : 000001d6`98576fd0 00000000`00000481 00000000`00000000 000001d9`a8c3ef90 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0xb787f 11 00007ffa`fcc17374 : 00007ffa`af8c2800 00000000`00000000 00000000`00000000 00000000`00000000 : libkernel!Kernel::InSerialiserPropertyDataStream::LoadValues+0x31082f 12 00007ffa`fd87cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 13 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 0:032> lmDvm libpersona Browse full module list start end module name 00007ffa`49180000 00007ffa`60abb000 libpersona (export symbols) C:Program FilesWindowsAppsCanva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4Applibpersona.dll Loaded symbol image file: C:Program FilesWindowsAppsCanva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4Applibpersona.dll Image path: C:Program FilesWindowsAppsCanva.Affinity_3.0.1.3808_x64__8a0j1tnjnt4a4Applibpersona.dll Image name: libpersona.dll Browse all global symbols functions data Symbol Reload Timestamp: Mon Nov 3 07:34:40 2025 (6908CB90) CheckSum: 17822078 ImageSize: 1793B000 Mapping Form: Loaded Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Information from resource tables:
“`
Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.
See security bulletin on trust.canva.com with the vulnerability details and vulnerable versions. (URL to advisory: https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62)
2026-01-27 – Vendor Disclosure
2026-03-17 – Vendor Patch Release
2026-03-17 – Public Release
Discovered by KPC of Cisco Talos.