CVE-2025-61979
Published: 17 March 2026
Summary
CVE-2025-61979 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Canva Affinity. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-61979 is an out-of-bounds read vulnerability (CWE-125) in the EMF functionality of Canva Affinity software. The issue allows exploitation via a specially crafted EMF file, potentially leading to the disclosure of sensitive information. It carries a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L) and was published on 2026-03-17T19:15:58.090.
The vulnerability requires local access (AV:L) and low attack complexity (AC:L), with no privileges needed (PR:N) but user interaction required (UI:R), such as opening the malicious EMF file in Canva Affinity. Attackers without privileges can exploit it to achieve high confidentiality impact (C:H) through information disclosure, alongside low availability impact (A:L) and no integrity impact (I:N), with no change in scope (S:U).
Mitigation details are available in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2299 (also at https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2299) and Canva's security update at https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208789
Vulnerability details
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in local EMF file parser enables info disclosure when user opens crafted file (T1204.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the out-of-bounds read vulnerability by requiring timely remediation through patching the affected Canva Affinity EMF functionality.
Implements memory protection mechanisms that prevent exploitation of out-of-bounds reads in EMF file processing for sensitive information disclosure.
Requires validation of EMF file inputs to detect and reject specially crafted files that trigger the out-of-bounds read vulnerability.