CVE-2025-64776 is a medium-severity vulnerability classified as CWE-125 (Out-of-bounds Read) affecting the EMF (Enhanced Metafile) processing functionality in Canva Affinity version 3.0.1.3808. The vulnerability arises when the software processes a specially crafted EMF file, causing it to read memory outside the intended buffer boundaries. This out-of-bounds read can lead to the disclosure of sensitive information residing in adjacent memory areas, potentially exposing confidential data to an attacker. The attack requires the victim to open or import a malicious EMF file, meaning user interaction is necessary. The vulnerability has an attack vector of local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L), resulting in a CVSS v3.1 score of 6.1. There are no known exploits in the wild, and no patches have been released at the time of publication. The vulnerability does not allow remote code execution or privilege escalation but poses a risk of sensitive data leakage. The flaw is specifically tied to the EMF file parsing component, which is commonly used for vector graphics and print-related workflows within the application.

The primary impact of CVE-2025-64776 is the potential unauthorized disclosure of sensitive information from the memory of systems running Canva Affinity 3.0.1.3808 when processing malicious EMF files. This can compromise confidentiality, especially if the leaked data includes credentials, personal information, or proprietary content. Although the vulnerability does not allow code execution or system control, the exposure of sensitive data can lead to further attacks such as social engineering, credential theft, or intellectual property loss. Organizations relying on Canva Affinity for design work, particularly those handling sensitive or regulated data, face increased risk if users open untrusted EMF files. The requirement for local access and user interaction limits the attack surface, but insider threats or phishing campaigns delivering malicious EMF files could exploit this vulnerability. The absence of patches increases exposure duration, and the lack of known exploits suggests limited current exploitation but potential future risk.

To mitigate CVE-2025-64776, organizations should implement the following specific measures: 1) Restrict or disable the import and opening of EMF files within Canva Affinity until a patch is available, especially from untrusted or unknown sources. 2) Educate users about the risks of opening unsolicited or suspicious EMF files and enforce strict email and file attachment policies to reduce the likelihood of malicious file delivery. 3) Monitor file system and application logs for unusual EMF file access or crashes that may indicate exploitation attempts. 4) Employ endpoint protection solutions capable of detecting anomalous behavior related to file parsing or memory access violations. 5) Maintain up-to-date backups and implement least privilege principles to limit the impact of any potential data exposure. 6) Once available, promptly apply official patches or updates from Canva to remediate the vulnerability. 7) Consider sandboxing or isolating Canva Affinity usage environments to contain potential data leakage. These targeted actions go beyond generic advice by focusing on controlling EMF file handling and user awareness specific to this vulnerability.