Broken official patches for Windows Shell Spoofing Vulnerability (CVE-2026-32202)

Mitja KolsekJun 12, 2026
Micropatches released for Windows Shell Spoofing Vulnerability (CVE-2026-32202)

April 2026 Windows Updates brought a patch for CVE-2026-32202, an NTLM credentials leak that can be used for obtaining a Windows user's credentials when the user views a network folder containing a malicious LNK file. The issue seems to have been exploited in the wild.

This vulnerability was discovered by Maor Dahan with Akamai, who published a detailed analysis that allowed us to reproduce the issue and create patches for legacy Windows users.

Interestingly, our investigation of Microsoft's patch for this issue revealed that while their patch works well on Windows Server 2025 and Windows 11 24H2 and 25H2, it appears to be broken on several other Windows versions that are still under active support: Windows 10 22H2 (with Extended Security Updates), Windows 11 23H2, and all Windows Servers from - including - Server 2012 and 2012 R2 (with Extended Security Updates) to Windows Server 2022. All these, even if fully updated to current June 2026 updates, still have the vulnerability.

Naturally, we've ported our patches to these Windows versions as well and will keep porting them until Microsoft provides an official patch there. We have also notified Microsoft about this omission and expect they will include these patches in the next update cycle.

The Vulnerability 

The vulnerability is explained in detail in Maor's article.

Microsoft's Patch

Microsoft fixed this issue by adding a call to MapUrlToZoneEx in function ShellLink::_InitExtractIcon (windows.storage.dll) in order to limit the NTLM leak to LNKs on trusted locations only. We think this is a good approach, but their surrounding code logic allows for this added check to be bypassed - and in fact does get bypassed with our proof-of-concept.

Our Patch

We believe Microsoft decided to patch this issue too high up on the stack, on the LNK file level, so we decided to take a much more minimal approach by patching in the last non-generic function on the stack. This limits our patch's influence only to LNK files that use the Control Panel COM Object CLSID.
 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

  1. Windows 11 v23H2 - fully updated

  2. Windows 11 v22H2 - fully updated

  3. Windows 11 v21H2 - fully updated

  4. Windows 10 v22H2 - fully updated with no ESU, or with ESU 1

  5. Windows 10 v21H2 - fully updated

  6. Windows 10 v21H1 - fully updated

  7. Windows 10 v20H2 - fully updated

  8. Windows 10 v2004 - fully updated

  9. Windows 10 v1909 - fully updated

  10. Windows 10 v1809 - fully updated

  11. Windows 10 v1803 - fully updated

  12. Windows 7 - fully updated with no ESU, with ESU 1, ESU 2 or ESU 3

  13. Windows Server 2008 R2 - fully updated with no ESU, with ESU 1, ESU 2, ESU 3 or ESU 4

  14. Windows Server 2012 - fully updated with no ESU, with ESU 1 or ESU 2

  15. Windows Server 2012 R2 - fully updated with no ESU, with ESU 1 or ESU 2

  16. Windows Server 2016 - fully updated

  17. Windows Server 2019 - fully updated

  18. Windows Server 2022 - fully updated

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Maor Dahan with Akamai for sharing their analysis, which allowed us to create patches for Windows versions that are no longer receiving official updates from Microsoft - and for those with broken official patches.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support last October, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here

To learn more about 0patch, please visit our Help Center.