Microsoft patched a moderate-severity flaw in the Windows Snipping Tool in the April 14, 2026 security updates that could let attackers trick the application into leaking authentication material. Tracked as CVE-2026-33829 and reported by Blackarrow (Tarlogic), the issue stems from how Snipping Tool handles certain deep links and can result in an authenticated Server Message Block (SMB) connection to an attacker-controlled server, exposing NTLMv2 hashes.
What the vulnerability is
CVE-2026-33829 is classified as an exposure of sensitive information (CWE-200) and carries a CVSS 3.1 score of 4.3. The root cause lies in how the Snipping Tool processes deep links using the ms-screensketch URI scheme. When the application fails to validate input correctly for parameters such as filePath, a crafted link can cause the tool to reach out to an external SMB share. That outbound connection can leak an authenticated NTLMv2 hash to the remote host.
How an attacker can exploit it
The exploit requires social engineering and user interaction but is low in complexity. Based on the disclosed proof-of-concept:
- An attacker crafts a malicious ms-screensketch: link that sets the filePath parameter to an external SMB target.
- The victim is lured into clicking the link from a phishing email or a compromised webpage and is prompted to confirm opening the Snipping Tool.
- When the user allows the action, Snipping Tool fetches the remote resource over SMB, silently sending NTLM authentication data in the process.
- The attacker captures the NTLMv2 hash and may use it to authenticate as the user on the network.
Affected systems
The flaw impacts numerous Microsoft platforms. The published disclosures and GitHub details indicate affected versions include multiple releases of Windows 10, Windows 11, and Windows Server editions dating back through 2012 up to 2025. Administrators should consult Microsoft’s advisory and the linked disclosure for an exact list of impacted builds in their environment.
Risk context and exploitation status
Although the vulnerability can result in a loss of confidentiality, it does not allow direct data modification or system crashes. Microsoft and the reporting researchers note the exploit code maturity is unproven and that, as of the advisory, there were no confirmed in-the-wild exploits. Microsoft assesses actual exploitation as unlikely, but the behavior is particularly well-suited to targeted social-engineering campaigns because the Snipping Tool opens normally and the SMB authentication occurs without obvious signs to the user.
Mitigations and recommendations
Immediate actions organizations and users should take:
- Apply Microsoft’s April 14, 2026 security updates to affected systems as soon as possible.
- Block outbound SMB (TCP port 445) at network egress points to prevent hosts from authenticating to external SMB servers.
- Train employees to be cautious about clicking unexpected links and approving application launch prompts from web content.
Additional defensive measures to consider:
- Review web-filtering and email security controls to reduce the likelihood of phishing lures reaching users.
- Monitor network logs for unexpected SMB connections and investigate anomalous authentication attempts.
- Where feasible, enforce network segmentation and minimize services that rely on legacy authentication protocols.
Closing thoughts
CVE-2026-33829 is a reminder that even everyday productivity tools can become vectors for credential exposure when deep-link handling and external resource loading are insufficiently validated. The vulnerability’s practical risk hinges on successful social engineering, but the potential to harvest NTLMv2 hashes makes timely patching and egress filtering important priorities for defenders.
Licensed under CC BY-ND 4.0 International
Recently Leaked Windows Zero-Days Now Being Actively Exploited: What You Need to Know
Threat actors have begun abusing three recently disclosed Windows vulnerabilities to escalate…
RedSun: New Microsoft Defender Zero-Day Lets Unprivileged Users Gain SYSTEM Access
A freshly disclosed zero-day vulnerability in Microsoft Defender, dubbed "RedSun," has raised…
Microsoft Patch Tuesday — April 2026: 168 Vulnerabilities Fixed, Including an Actively Exploited SharePoint Zero-Day
Microsoft’s April 2026 Patch Tuesday delivers a heavy set of fixes: 168…
Micropatches for Windows Shell Bypass (CVE-2026-21510): What 0patch Fixed and Why It Matters
Microsoft released fixes earlier this year for CVE-2026-21510, a security feature bypass…