CVE-2025-66042 is a medium-severity vulnerability classified under CWE-125 (Out-of-bounds Read) affecting Canva Affinity version 3.0.1.3808. The flaw resides in the Enhanced Metafile (EMF) processing component of the software. Specifically, when parsing specially crafted EMF files, the application performs reads beyond the allocated memory buffer boundaries. This out-of-bounds read can cause the application to disclose contents of adjacent memory, potentially leaking sensitive information such as user data or application internals. Exploitation requires a user to open or import a malicious EMF file, which implies user interaction and local access. The vulnerability does not allow code execution or modification of data but compromises confidentiality by exposing memory contents. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L) indicates that the attack vector is local, with low attack complexity, no privileges required, but user interaction is necessary. The scope is unchanged, and the impact is high on confidentiality, none on integrity, and low on availability. No public exploits or patches are currently available, and the vulnerability was published in March 2026. The vulnerability was assigned by Talos and is currently in a published state.

The primary impact of CVE-2025-66042 is the potential unauthorized disclosure of sensitive information from the memory of systems running Canva Affinity 3.0.1.3808. This can lead to leakage of confidential user data, proprietary information, or application internals that could facilitate further attacks. Since the vulnerability requires user interaction to open a malicious EMF file, the risk is higher in environments where users frequently exchange or import EMF files, such as graphic design or marketing teams. The lack of integrity or availability impact means attackers cannot modify data or disrupt services directly through this flaw. However, the confidentiality breach could have compliance and privacy implications, especially for organizations handling sensitive or regulated data. The absence of known exploits reduces immediate risk, but the medium severity and potential for information leakage warrant prompt attention. Organizations worldwide using this software version are at risk, particularly those with high-value intellectual property or sensitive customer data.

Organizations should implement the following specific mitigations: 1) Restrict or monitor the use of EMF files within Canva Affinity, especially from untrusted or external sources. 2) Educate users about the risks of opening unsolicited or suspicious EMF files and enforce policies to verify file origins. 3) Employ application whitelisting or sandboxing techniques to limit the impact of potential exploitation. 4) Monitor vendor communications closely for patches or updates addressing this vulnerability and apply them promptly once available. 5) Use endpoint detection and response (EDR) tools to detect anomalous behavior related to file parsing or memory access within Canva Affinity. 6) Consider disabling or limiting EMF file support in Canva Affinity if feasible in the operational environment. 7) Conduct regular security awareness training emphasizing safe file handling practices. These measures go beyond generic advice by focusing on controlling the attack vector (EMF files) and user behavior, as well as proactive monitoring and containment.