CVE-2025-66000 is a medium-severity vulnerability classified as CWE-125 (Out-of-bounds Read) affecting the EMF functionality in Canva Affinity version 3.0.1.3808. The vulnerability arises when the software processes a specially crafted Enhanced Metafile (EMF) file, which leads to an out-of-bounds read operation. This means the program reads memory beyond the intended buffer boundaries, potentially exposing sensitive information stored in adjacent memory regions. The flaw does not allow code execution or modification of data but can leak confidential information, impacting confidentiality. The attack vector is local (AV:L), requiring the victim to open a malicious EMF file, thus user interaction is necessary (UI:R). No privileges are required (PR:N), and the scope is unchanged (S:U). The CVSS v3.1 base score is 6.1, reflecting a medium risk level primarily due to the potential confidentiality breach. There are no known exploits in the wild at this time, and no patches have been published yet. The vulnerability was reserved in December 2025 and published in March 2026. Canva Affinity is a popular graphic design tool, and the EMF format is commonly used for vector graphics, making this vulnerability relevant for users handling EMF files. The vulnerability could be leveraged by attackers to extract sensitive data from memory, which may include user credentials, proprietary designs, or other confidential information.

The primary impact of CVE-2025-66000 is the potential disclosure of sensitive information from the memory of systems running Canva Affinity 3.0.1.3808 when processing malicious EMF files. This could lead to leakage of confidential user data, intellectual property, or other sensitive content stored in memory. Although the vulnerability does not allow code execution or system compromise, the confidentiality breach can have serious consequences for organizations relying on Canva Affinity for design work, especially those handling sensitive or proprietary information. The requirement for local access and user interaction limits the attack surface but does not eliminate risk, particularly in environments where users might receive EMF files from untrusted sources via email or file sharing. The vulnerability could be exploited in targeted attacks against creative professionals, marketing teams, or any users who open untrusted EMF files. The lack of known exploits in the wild reduces immediate risk but does not preclude future exploitation. Overall, the impact is moderate but significant enough to warrant prompt mitigation to protect sensitive data confidentiality.

Organizations should implement the following specific mitigations: 1) Restrict or block the opening of EMF files from untrusted or unknown sources within Canva Affinity until a patch is available. 2) Educate users about the risks of opening unsolicited or suspicious EMF files, emphasizing cautious handling of email attachments and downloads. 3) Employ application whitelisting or sandboxing techniques to isolate Canva Affinity processes, limiting the potential impact of malicious files. 4) Monitor and audit file access and user activity related to EMF files to detect anomalous behavior. 5) Once a vendor patch or update is released, prioritize immediate deployment to affected systems. 6) Consider disabling EMF support in Canva Affinity if feasible, or use alternative file formats for vector graphics. 7) Maintain up-to-date endpoint protection and intrusion detection systems to identify potential exploitation attempts. These targeted steps go beyond generic advice by focusing on controlling EMF file handling and user awareness specific to this vulnerability.