CVE-2025-58427
Published: 17 March 2026
Summary
CVE-2025-58427 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Canva Affinity. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing this out-of-bounds read vulnerability by applying vendor patches to Canva Affinity's EMF parser.
SI-16 implements memory protection mechanisms such as address space layout randomization and data execution prevention to mitigate out-of-bounds reads that disclose sensitive memory contents.
SI-10 enforces input validation and sanitization for files like EMF inputs to prevent malformed data from triggering out-of-bounds reads in the parser.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read triggered by opening crafted EMF file directly maps to user execution of malicious file; info disclosure impact does not reliably map to further techniques without additional assumptions.
NVD Description
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Deeper analysisAI
CVE-2025-58427 is an out-of-bounds read vulnerability in the Enhanced Metafile (EMF) functionality of Canva Affinity software. The issue, tracked under CWE-125, allows an attacker to trigger an out-of-bounds read operation by supplying a specially crafted EMF file. Published on March 17, 2026, it carries a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L), indicating medium severity with high confidentiality impact.
An attacker with local access can exploit this vulnerability without privileges by tricking a user into opening a malicious EMF file within Canva Affinity. User interaction is required, such as processing the file through the application's EMF parser. Successful exploitation could result in the disclosure of sensitive information from memory, with a low potential for availability disruption but no integrity impact.
Advisories from Talos Intelligence (TALOS-2025-2314) and Canva's trust center detail the vulnerability, with references available at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2314, https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62, and https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2314. These sources likely outline detection, patching, or workaround guidance for affected Canva Affinity installations.
Details
- CWE(s)