CVE-2025-64776
Published: 17 March 2026
Summary
CVE-2025-64776 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Canva Affinity. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-64776 is an out-of-bounds read vulnerability (CWE-125) in the EMF functionality of Canva Affinity software. Published on 2026-03-17, it carries a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L). The flaw can be triggered by processing a specially crafted EMF file, enabling an out-of-bounds read that may disclose sensitive information.
Exploitation requires local access to the target system and user interaction, such as opening the malicious EMF file, with low attack complexity and no privileges needed. A successful attack could achieve high-impact confidentiality loss through sensitive data exposure, alongside low availability disruption, but no integrity impact.
Mitigation details are outlined in advisories from Talos Intelligence (TALOS-2025-2311) and Canva's Trust Center. Security practitioners should consult these references for patching instructions and workarounds specific to affected Canva Affinity versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208799
Vulnerability details
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read triggered by opening a crafted local EMF file directly enables T1204.002 (Malicious File) via user interaction; info disclosure impact is secondary and does not map to additional techniques without further assumptions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing the out-of-bounds read vulnerability by mandating patches for affected Canva Affinity versions as specified in advisories.
SI-16 implements memory protections such as address space randomization and non-executable memory, comprehensively mitigating out-of-bounds read exploits that disclose sensitive information.
SI-10 enforces input validation on EMF files processed by Canva Affinity, preventing specially crafted files from triggering the out-of-bounds read vulnerability.