Cyber Posture

CVE-2025-62403

MediumPublic PoC

Published: 17 March 2026

Published
17 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
EPSS Score 0.0001 2.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62403 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Canva Affinity. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring timely flaw remediation through vendor patches that fix the out-of-bounds read in Canva Affinity's EMF parsing.

SI-10 Information Input Validation good match
prevent

Prevents exploitation of the crafted EMF file by enforcing validation of information inputs to ensure proper bounds checking during parsing.

SI-16 Memory Protection good match
prevent

Protects against sensitive information disclosure from the out-of-bounds read by implementing memory safeguards such as address space layout randomization and confidentiality protections.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Vulnerability is triggered by user opening a crafted EMF file, directly enabling T1204.002 (Malicious File) for local info disclosure; no RCE or other behaviors described.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

Deeper analysisAI

CVE-2025-62403 is an out-of-bounds read vulnerability (CWE-125) in the EMF functionality of Canva Affinity. The issue, published on 2026-03-17, allows an attacker to exploit a specially crafted EMF file, triggering an out-of-bounds read that could lead to the disclosure of sensitive information. It has a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L), indicating medium severity with high confidentiality impact.

An attacker with local access can exploit this vulnerability by convincing a user to open a maliciously crafted EMF file in Canva Affinity, requiring no privileges but relying on user interaction. Successful exploitation enables the disclosure of sensitive information from memory, with potential low impact on availability but no integrity compromise.

For mitigation details, refer to advisories from Talos Intelligence (TALOS-2025-2321) and Canva's trust center.

Details

CWE(s)
CWE-125

Affected Products

canva
affinity
≤ 3.1.0

CVEs Like This One

CVE-2025-64735Same product: Canva Affinity
CVE-2025-65119Same product: Canva Affinity
CVE-2026-22882Same product: Canva Affinity
CVE-2025-62500Same product: Canva Affinity
CVE-2026-20726Same product: Canva Affinity
CVE-2025-61979Same product: Canva Affinity
CVE-2025-66503Same product: Canva Affinity
CVE-2025-64733Same product: Canva Affinity
CVE-2025-66617Same product: Canva Affinity
CVE-2025-58427Same product: Canva Affinity

References