Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

Researchers disclosed an unpatched Windows search: URI handler flaw where a crafted URL using a "crumb=location:" UNC path can trigger SMB authentication to an attacker-controlled server and leak the user's Net-NTLMv2 hash. The behavior mirrors a previously patched Snipping Tool URI vulnerability (CVE-2026-33829); Microsoft declined to patch this issue after responsible disclosure. Captured hashes can be used for relay attacks and lateral movement. Short-term mitigations include blocking outbound SMB (TCP/445 and TCP/139), enforcing SMB signing, and disabling NTLM where feasible.