Skip to main content
Mallory
Back to vulnerabilities
MediumPublic exploit

NTLM Hash Disclosure in Windows Snipping Tool ms-screensketch URI Handler

IdentifiersCVE-2026-33829CWE-200· Exposure of Sensitive Information…

CVE-2026-33829 is a moderate-severity spoofing/information disclosure vulnerability in Microsoft Windows Snipping Tool. The flaw is in the application's handling of deep links registered under the ms-screensketch URI scheme, specifically acceptance of a filePath parameter without sufficient validation. By supplying a crafted ms-screensketch link whose filePath points to an attacker-controlled UNC path, an attacker can cause Snipping Tool to initiate an outbound SMB connection to a remote server. During that connection, Windows may automatically perform NTLM authentication in the security context of the current user, exposing the user's Net-NTLMv2 response to the attacker. Public reporting describes exploitation via malicious webpages, phishing emails, or other crafted URL sources that launch Snipping Tool and make the activity appear legitimate while the credential material is leaked in the background.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in disclosure of the victim user's Net-NTLMv2 hash to an attacker-controlled SMB server. This is primarily a confidentiality impact. The captured credential material can be used for NTLM relay attacks against internal services and, depending on the environment and password strength, may also support offline cracking attempts. Reporting indicates no direct integrity or availability impact from the vulnerability itself, but secondary compromise may follow if the leaked credentials are reused successfully for authentication or lateral movement.

Mitigation

If you can’t patch tonight, do this now.

If patching cannot be completed immediately, reduce exposure by blocking outbound SMB traffic, especially TCP/445 and TCP/139, to untrusted or external destinations. Enforce SMB signing to reduce the utility of captured hashes in relay scenarios. Disable or restrict NTLM where operationally feasible. Monitor for unexpected outbound SMB connections and suspicious invocation of ms-screensketch links from browsers, email clients, or other user-facing applications. User awareness measures against malicious links and launch prompts can further reduce exploitability because exploitation requires user interaction.

Remediation

Patch, then assume compromise.

Apply Microsoft's April 14, 2026 security updates that address CVE-2026-33829 in affected Windows Snipping Tool deployments. Organizations should prioritize patching systems running vulnerable Snipping Tool versions on supported Windows 10, Windows 11, and Windows Server platforms referenced in vendor reporting. Validate that the updated Snipping Tool no longer permits untrusted ms-screensketch filePath values to trigger outbound SMB authentication to arbitrary UNC paths.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationSnipping Toolapplication
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows 11 25h2operating_system
Microsoft CorporationWindows 11 26h1operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app
scworldNews
Jun 3, 2026
Unpatched Windows search URI handler issue leaks NTLMv2 hashes | brief | SC Media

A previously patched vulnerability in the Windows Snipping Tool referenced as similar to the newly disclosed Windows search URI handler NTLMv2 hash leakage issue.

Read more
the hacker newsNews
Jun 3, 2026
Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

A spoofing vulnerability in the Windows Snipping Tool ms-screensketch: URI handler that can disclose a user's NTLMv2/Net-NTLMv2 hash by causing the system to connect to an attacker-controlled SMB/UNC path.

Read more
cyber security newsNews
Jun 3, 2026
Windows Search URI Handler Flaw Leaks NTLMv2 Hashes to Attacker-Controlled Servers

An NTLM credential leakage vulnerability in Microsoft Snipping Tool's ms-screensketch URI handler that can trigger outbound SMB authentication and expose Net-NTLMv2 hashes via a remote UNC path.

Read more
cyber security newsNews
Apr 21, 2026
PoC Exploit Released for Windows Snipping Tool NTLM Hash Leak Vulnerability

A vulnerability in Microsoft Windows Snipping Tool’s handling of the ms-screensketch deep link URI allows an attacker to supply a UNC path via the filePath parameter, coercing an authenticated SMB connection and exposing the victim’s Net-NTLM hash.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity18

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-33829
NVD
nvd.nist.gov/vuln/detail/CVE-2026-33829
MITRE CWE · CWE-200
Exposure of Sensitive Information to an…
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33829
github.com
github.com/blackarrowsec/redteam-research/tree/master/CVE-2026-33829