CVE-2025-64301 is an out-of-bounds write vulnerability classified under CWE-787, found in the Enhanced Metafile (EMF) processing functionality of Canva Affinity version 3.0.1.3808. The flaw arises when the software processes a specially crafted EMF file, allowing an attacker to write data outside the intended memory bounds. This memory corruption can lead to arbitrary code execution, enabling attackers to compromise the affected system. The vulnerability requires no privileges but does require user interaction, specifically opening or importing a malicious EMF file. The CVSS v3.1 base score is 7.8, indicating high severity, with impacts on confidentiality, integrity, and availability. The attack vector is local (AV:L), meaning the attacker must have local access or trick a user into opening the file. The vulnerability scope is unchanged (S:U), so the impact is limited to the vulnerable component. No public exploits or patches are currently available, increasing the urgency for defensive measures. This vulnerability is particularly concerning for organizations relying on Canva Affinity for graphic design and document creation, as it could be leveraged to execute arbitrary code, potentially leading to full system compromise or lateral movement within networks.

The potential impact of CVE-2025-64301 is significant for organizations using Canva Affinity, especially those handling untrusted or externally sourced EMF files. Successful exploitation can lead to arbitrary code execution, allowing attackers to gain unauthorized access, execute malicious payloads, or disrupt system operations. This compromises confidentiality by exposing sensitive data, integrity by allowing unauthorized modifications, and availability by potentially crashing or destabilizing the application or host system. Given the local attack vector and requirement for user interaction, social engineering or phishing campaigns could be used to deliver malicious EMF files. The lack of patches increases exposure time, raising the risk of targeted attacks. Organizations in creative industries, marketing, publishing, and any sector relying on Canva Affinity for document and graphic workflows face operational and reputational risks. Additionally, compromised systems could serve as footholds for broader network intrusions or data exfiltration.

Until an official patch is released, organizations should implement specific mitigations to reduce risk. First, restrict or disable the processing of EMF files within Canva Affinity where possible, or configure the software to block or warn about opening EMF files from untrusted sources. Educate users about the risks of opening unsolicited or suspicious EMF files, emphasizing caution with email attachments and downloads. Employ endpoint protection solutions capable of detecting anomalous behavior related to memory corruption or code execution attempts within Canva Affinity. Monitor logs and network traffic for unusual activity indicative of exploitation attempts. Consider isolating systems running Canva Affinity in segmented network zones to limit lateral movement. Maintain up-to-date backups to enable recovery in case of compromise. Finally, track vendor communications closely for patches or updates addressing this vulnerability and apply them promptly once available.