CVE-2025-66503 is identified as an out-of-bounds read vulnerability (CWE-125) in the EMF functionality of Canva Affinity, specifically version 3.0.1.3808. The vulnerability arises when the software processes a specially crafted Enhanced Metafile (EMF), a graphics file format used for vector images. The flaw allows an attacker to read memory outside the intended buffer boundaries, potentially exposing sensitive data stored in adjacent memory regions. This type of vulnerability does not typically allow code execution but can leak confidential information such as cryptographic keys, user data, or other sensitive content residing in memory. The attack vector is local, meaning the attacker must have access to the system and convince a user to open or process the malicious EMF file, requiring user interaction. The CVSS v3.1 base score of 6.1 reflects a medium severity, with high confidentiality impact, no integrity impact, and low availability impact. The vulnerability does not require privileges, making it easier to exploit if local access is obtained. No patches or fixes have been released at the time of publication, and no known exploits have been observed in the wild. The vulnerability was reserved in December 2025 and published in March 2026 by Talos, indicating a recent discovery. Given the nature of the flaw, it is primarily a risk in environments where untrusted EMF files might be received and opened, such as in creative or design workflows.

The primary impact of CVE-2025-66503 is the potential disclosure of sensitive information from the memory of systems running Canva Affinity 3.0.1.3808. This can lead to confidentiality breaches, exposing user data, credentials, or other sensitive information that resides in memory at the time of exploitation. While the vulnerability does not allow for code execution or system takeover, the leakage of sensitive data can facilitate further attacks, such as social engineering or privilege escalation. The requirement for local access and user interaction limits the scope of exploitation, reducing the risk of widespread remote attacks. However, in organizations where Canva Affinity is used extensively for graphic design and where files are shared frequently, the risk of receiving malicious EMF files is non-negligible. The vulnerability could be exploited by insiders or through phishing campaigns delivering malicious files. The lack of available patches increases exposure until a fix is released. Overall, the impact is moderate but significant for confidentiality-sensitive environments.

To mitigate CVE-2025-66503, organizations should implement the following specific measures: 1) Restrict the opening of EMF files from untrusted or unknown sources within Canva Affinity until a patch is available. 2) Employ application whitelisting or sandboxing techniques to isolate Canva Affinity processes, limiting the potential impact of malicious files. 3) Educate users about the risks of opening unsolicited or suspicious EMF files, emphasizing caution with file attachments and downloads. 4) Monitor file-sharing channels and email gateways for EMF files and apply content filtering to block or flag suspicious files. 5) Maintain strict access controls to limit local access to systems running Canva Affinity, reducing the attack surface. 6) Regularly back up critical data and maintain incident response plans to quickly address any potential data leakage events. 7) Stay informed about updates from Canva and apply patches promptly once released. 8) Consider disabling or restricting EMF file support in Canva Affinity if feasible within operational requirements. These targeted actions go beyond generic advice by focusing on the specific attack vector and file format involved.