Microsoft has disclosed a new spoofing vulnerability in the Windows Snipping Tool, tracked as CVE-2026-33829, that could allow a remote attacker to steal NTLMv2 authentication hashes from targeted users through a specially crafted link.
The flaw was officially published on April 14, 2026, as part of Microsoft’s April Patch Tuesday security updates.
CVE-2026-33829 is classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor and carries a CVSS 3.1 base score of 4.3 (Moderate).
The vulnerability stems from the Snipping Tool’s registered deep link protocol, identified as ms-screensketch, a URI schema that the application uses to handle incoming launch requests.
According to Microsoft advisory, the vulnerability’s attack vector is Network, with Low complexity and no privileges required, though user interaction remains a prerequisite.
When a specially crafted URL is processed, the tool can be coerced into initiating a connection to an attacker-controlled SMB server, inadvertently disclosing the victim’s NTLMv2 hash.
To exploit this flaw, an attacker must first trick a user into clicking a maliciously crafted link embedded in a webpage, email, or other URL source, and then confirm the launch of the Snipping Tool application.
Once the user approves the launch, the crafted URL forces the system to connect to an SMB server of the attacker’s choosing, leaking the user’s NTLMv2 hash. The attacker can then use this captured hash to authenticate as the victim in a relay or pass-the-hash attack scenario.
Affected Systems
The flaw impacts a broad range of Windows versions. Security updates were released for:
- Windows 10 (versions 1607, 1809, 21H2, 22H2)
- Windows 11 (versions 23H2, 24H2, 25H2, 26H1)
- Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Patch and Mitigation
Microsoft has released official security updates as part of the April 2026 Patch Tuesday rollout to remediate the vulnerability.
There is currently no public exploit code, and Microsoft assesses exploitation as unlikely at this time. Researchers at Blackarrow (Tarlogic) responsibly disclosed the vulnerability through coordinated vulnerability disclosure.
Users and administrators should immediately apply the relevant KB updates,, including KB5082200 for Windows 10 22H2 and KB5083769 for Windows 11 24H2/25H,ly to prevent potential credential theft via NTLM hash capture.
No Comment! Be the first one.