CVE-2025-61979 is a medium-severity vulnerability classified as CWE-125 (Out-of-bounds Read) found in the EMF (Enhanced Metafile) functionality of Canva Affinity version 3.0.1.3808. The flaw arises when the software processes specially crafted EMF files, leading to an out-of-bounds read condition. This means the program reads memory outside the bounds of a buffer, which can result in the disclosure of sensitive information stored in adjacent memory areas. The vulnerability does not allow code execution or modification of data but can leak confidential data, potentially including user credentials, cryptographic keys, or other sensitive application data. Exploitation requires user interaction, specifically opening or importing a malicious EMF file, and does not require any prior authentication or elevated privileges. The CVSS 3.1 base score is 6.1, reflecting a medium severity with an attack vector of local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The impact is high on confidentiality (C:H), none on integrity (I:N), and low on availability (A:L). No known exploits have been reported in the wild, and no official patches have been published as of the vulnerability disclosure date (March 17, 2026). This vulnerability highlights the risks associated with processing complex file formats like EMF in graphic design software and underscores the need for robust input validation and memory safety checks.

The primary impact of CVE-2025-61979 is the potential unauthorized disclosure of sensitive information from the memory of systems running Canva Affinity 3.0.1.3808. While it does not allow attackers to execute arbitrary code or alter data, leaking confidential information can lead to further attacks such as credential theft, intellectual property exposure, or privacy violations. The requirement for user interaction limits the scope somewhat, but targeted phishing or social engineering campaigns could trick users into opening malicious EMF files. Organizations in creative industries, marketing, and design that rely on Canva Affinity for content creation may face risks of data leakage. Additionally, the vulnerability could be leveraged in multi-stage attacks where information gained is used to escalate privileges or compromise other systems. The absence of patches increases the window of exposure, and the lack of known exploits suggests it is not yet actively weaponized, but this could change rapidly once exploit code is developed.

To mitigate CVE-2025-61979, organizations should implement the following specific measures: 1) Avoid opening or importing EMF files from untrusted or unknown sources until a patch is available. 2) Employ strict email and file filtering to block or quarantine EMF files, especially in environments where Canva Affinity is used. 3) Educate users about the risks of opening unsolicited or suspicious graphic files and encourage verification of file origins. 4) Use application whitelisting and sandboxing techniques to isolate Canva Affinity processes and limit potential data exposure. 5) Monitor network and endpoint logs for unusual activity related to file handling or memory access anomalies. 6) Stay informed on vendor advisories and apply patches promptly once released. 7) Consider disabling or restricting EMF file support in Canva Affinity if feasible, or use alternative file formats with lower risk profiles. These targeted actions go beyond generic advice by focusing on controlling the specific attack vector and reducing the likelihood of successful exploitation.