CVE-2025-64735 is a medium-severity vulnerability classified under CWE-125 (Out-of-bounds Read) affecting Canva Affinity version 3.0.1.3808. The flaw exists in the Enhanced Metafile (EMF) processing component, where a specially crafted EMF file can trigger an out-of-bounds read operation. This means the software reads memory outside the intended buffer boundaries, potentially exposing sensitive data stored in adjacent memory locations. The vulnerability does not allow code execution or modification of data but can lead to information disclosure, which attackers might leverage for further attacks such as credential theft or reconnaissance. Exploitation requires the victim to open or process a malicious EMF file, implying user interaction is necessary. The attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The scope is unchanged (S:U), and the impact is high on confidentiality (C:H), none on integrity (I:N), and low on availability (A:L). No known exploits have been reported in the wild, and no official patches have been released at the time of this report. The vulnerability was reserved in December 2025 and published in March 2026. Given the nature of the flaw, it is primarily a risk for users who handle untrusted EMF files within Canva Affinity, especially in environments where sensitive information is processed or stored in memory during file handling.

The primary impact of CVE-2025-64735 is the potential unauthorized disclosure of sensitive information from memory due to an out-of-bounds read. This can compromise confidentiality, exposing data such as user credentials, cryptographic keys, or other sensitive application data. Although the vulnerability does not allow direct code execution or system compromise, the leaked information could facilitate subsequent attacks, including privilege escalation or lateral movement within a network. The requirement for user interaction and local access limits the attack surface, but targeted spear-phishing or social engineering campaigns could exploit this vulnerability effectively. Organizations relying on Canva Affinity for graphic design, especially those handling confidential or proprietary content, face risks of data leakage. The absence of a patch increases exposure duration, and the lack of known exploits suggests the threat is currently theoretical but could evolve. The impact on availability and integrity is minimal, but the confidentiality breach alone warrants attention in sensitive environments.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict or disable the processing of EMF files within Canva Affinity, especially from untrusted or external sources. 2) Educate users to avoid opening EMF files received via email or downloaded from unverified websites. 3) Employ endpoint protection solutions capable of detecting and blocking suspicious EMF files or anomalous behavior during file processing. 4) Monitor application logs and system behavior for unusual memory access patterns or crashes related to Canva Affinity. 5) Use application whitelisting and sandboxing to limit the impact of potential exploitation. 6) Regularly back up critical data to mitigate indirect effects of exploitation attempts. 7) Stay informed on vendor communications for patches or updates addressing this vulnerability and apply them promptly once available. 8) Consider network segmentation to isolate systems running Canva Affinity from sensitive internal resources to reduce lateral movement risk.