CVE-2025-66503
Published: 17 March 2026
Summary
CVE-2025-66503 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Canva Affinity. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely patching of vulnerabilities like the out-of-bounds read in Canva Affinity's EMF parser, directly eliminating the CVE-2025-66503 exploit vector.
Memory protection mechanisms protect against out-of-bounds reads by enforcing bounds checking and preventing unauthorized memory access that could disclose sensitive information.
Information input validation ensures specially crafted EMF files are checked and rejected before processing, blocking the trigger for the out-of-bounds read vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is triggered by opening a malicious EMF file, directly mapping to user execution of a malicious file.
NVD Description
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Deeper analysisAI
CVE-2025-66503 is an out-of-bounds read vulnerability (CWE-125) in the EMF functionality of Canva Affinity. The flaw allows a specially crafted EMF file to trigger an out-of-bounds read, potentially leading to the disclosure of sensitive information. It carries a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L) and was published on 2026-03-17T19:15:59.913.
The vulnerability requires local access (AV:L) and low attack complexity (AC:L), with no privileges (PR:N) but user interaction (UI:R) needed, such as opening a malicious EMF file in Canva Affinity. Exploitation results in high confidentiality impact (C:H) through sensitive information disclosure and low availability impact (A:L), with no integrity impact (I:N) or scope change (S:U). Attackers can thus target users processing untrusted EMF files locally.
Mitigation guidance is available in the Cisco Talos Intelligence report at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2318 (or https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2318) and Canva's trust center advisory at https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62. Security practitioners should consult these for patching instructions and workarounds.
Details
- CWE(s)