Key Takeaways
- The vulnerability in Windows Snipping Tool (CVE-2026-33829) can expose NTLMv2 hashes through malicious links.
- It is triggered when a user clicks a crafted URL.
- It affects Windows 10, Windows 11, and Windows Server systems.
- No workaround is available, so applying the official KB patches is the only confirmed way to mitigate the issue.
Hey, let’s discuss about New Snipping Tool Vulnerability in Windows can Leak NTLMv2 Hashes over Network. Microsoft Windows Snipping Tool has a newly disclosed spoofing vulnerability, tracked as CVE-2026-33829, which could allow an unauthenticated attacker to capture a user’s NTLMv2 hash over a network. The issue was made public on April 14, 2026, as part of Microsoft’s monthly security update cycle.
Table of Contents
Table of Contents
New Snipping Tool Vulnerability in Windows can Leak NTLMv2 Hashes over Network
The flaw affects a wide range of Windows 10, Windows 11, and Windows Server editions. It is classified under CWE-200 and has a CVSS 3.1 base score of 4.3, with an environmental score of 3.8, placing it at Moderate severity.
- Disable Windows Snipping Tool Capture and Recording Policy using MS Intune
- How to use New Draw and Hold Feature in Snipping Tool to Improve the Inking Markup Experience in Windows 11
- Why Does Windows 11 24H2 Have Outdated Versions of Paint and Snipping Tool?
Windows Snipping Tool Vulnerability
According to Microsoft, the attack is network-based,low in complexity, and does not require special privileges, with user interaction acting as the trigger. In CVE-2026-33829, the issue comes from how the Windows Snipping Tool handles specially crafted URLs. An attacker can place a malicious link in a webpage or email and trick a user into clicking it; if the user agrees to launch the tool, it silently connects to an attacker controlled SMB server.
This connection exposes the user’s NTLMv2 hash, which can then be used to authenticate as that user on other systems. While Microsoft says exploitation is unlikely and not publicly observed, the exposure of NTLMv2 credentials is still a concern, as stolen hashes can be used in pass-the-hash or relay attacks to move across enterprise environments. The issue was reported to Microsoft by Blackarrow through coordinated disclosure.
Affected Platforms
The vulnerability affects a broad set of Microsoft Windows operating systems, and security updates were released on April 14, 2026, for all impacted platforms. Affected versions include multiple releases of Windows 11, Windows 10, and Windows Server, each with corresponding KB updates. Microsoft has confirmed that customer action is required across all 31 affected platform variants.
| Platform | Version | KB Article |
|---|---|---|
| Windows 11 | 23H2, 24H2, 25H2, and 26H1 | KB5082052, KB5083769, KB5083768 |
| Windows 11 | 21H2 and 22H2 | KB5082200 |
| Windows 10 | 1607 and 1809 | KB5082198, KB5082123 |
| Windows Server | 2025, 2022, 2019, 2016, 2012 | KB5082063, KB5082142, KB5082123, KB5082198, KB5082126/5082127 |
Mitigation
Microsoft has released security updates for all affected systems, with no alternative workarounds available, making patching the only confirmed fix. Users and administrators are advised to install the relevant KB updates, including KB5082200 for Windows 10 22H2 and KB5083769 for Windows 11 24H2/25H2, through Windows Update or the Microsoft Update Catalog.
Read More – Windows 11 KB5083769 KB5082052 April 2026 Patch and 2 Zero Day Vulnerabilities and 167 Flaws
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community and the WhatsApp channel to get the latest news on Microsoft Technologies. We are there on Reddit as well
Author
Anoop C Nair is a Workplace Technology solution architect with 25+ years of experience. Microsoft Certified Trainer. Microsoft MVP from 2015 onwards for consecutive 11+ years! He is a blogger, Speaker, and Founder of HTMD Community and HTMD Conference. His main focus is on Device Management technologies like Intune, Windows, and Cloud PC. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Entra, and Microsoft Security.