CVE-2025-61952 is a medium-severity vulnerability classified under CWE-125 (Out-of-bounds Read) affecting Canva Affinity version 3.0.1.3808. The flaw exists in the Enhanced Metafile (EMF) processing component, where the application improperly handles specially crafted EMF files. When a malicious EMF file is opened, the application reads memory beyond the allocated buffer boundaries, potentially exposing sensitive data residing in adjacent memory areas. This vulnerability does not allow code execution or modification of data but can lead to information disclosure, which may include sensitive user data or application internals. The attack vector requires local access (AV:L) and user interaction (UI:R), meaning the victim must open the malicious file. No privileges are required (PR:N), and the scope remains unchanged (S:U). The CVSS v3.1 base score is 6.1, reflecting a high impact on confidentiality but no impact on integrity and low impact on availability. There are currently no known exploits in the wild, and no official patches have been published yet. The vulnerability was reserved in December 2025 and published in March 2026. Given the nature of the flaw, attackers may use social engineering to trick users into opening malicious EMF files, often embedded in documents or shared via email or file sharing platforms. The vulnerability highlights the need for secure parsing of complex file formats like EMF in graphic design software.

The primary impact of CVE-2025-61952 is unauthorized disclosure of sensitive information from the memory of Canva Affinity when processing malicious EMF files. This can lead to leakage of confidential user data, intellectual property, or application internal state, which may aid further attacks or compromise privacy. Although it does not allow code execution or data manipulation, the information disclosure can be leveraged in targeted attacks or espionage, especially in creative industries handling sensitive design assets. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk, as attackers can deliver malicious files via phishing or insider threats. Organizations using Canva Affinity in sectors such as media, advertising, and design may face reputational damage and compliance issues if sensitive data is leaked. The absence of patches increases exposure until a fix is released. The vulnerability also underscores potential risks in handling complex vector graphic formats, which are common in creative workflows worldwide.

To mitigate CVE-2025-61952, organizations should implement the following specific measures: 1) Restrict or disable the opening of EMF files from untrusted or unknown sources within Canva Affinity until a patch is available. 2) Educate users about the risks of opening unsolicited or suspicious EMF files, emphasizing cautious handling of email attachments and shared files. 3) Employ application whitelisting and sandboxing techniques to isolate Canva Affinity processes, limiting the impact of potential memory disclosures. 4) Monitor and filter inbound emails and file shares for EMF files or suspicious content using advanced threat detection tools. 5) Once a vendor patch is released, prioritize timely deployment to affected systems. 6) Consider using endpoint detection and response (EDR) solutions to detect anomalous behavior related to file processing. 7) Maintain regular backups and incident response plans to quickly address any exploitation attempts. These targeted mitigations go beyond generic advice by focusing on controlling EMF file handling and user awareness in the context of Canva Affinity.