Microsoft Declines to Patch Windows library-ms NTLM Leak in library-ms Files, ZDI Publishes 0-Day Advisory
Microsoft has declined to patch a newly disclosed zero-day vulnerability in Windows library-ms file parsing that leaks NTLM responses to network-adjacent attackers, prompting ZDI to publish a public advisory.
On April 21, 2026, the Zero Day Initiative (ZDI) published advisory ZDI-26-294, disclosing a zero-day information disclosure vulnerability in Microsoft Windows that allows network-adjacent attackers to capture a user's NTLM response. The flaw resides in the parsing of library-ms files: a specially crafted file can trigger an outgoing WebDAV request, leaking the victim's NTLM authentication response to an attacker-controlled server. Exploitation requires user interaction—the target must view a folder containing the malicious content—and the vulnerability carries a CVSS score of 3.5 (AV:A/AC:L/PR:N/UI:R/UI:R/S:U/C:L/I:N/A:N).
NTLM responses are hashed versions of a user's password that can be relayed or cracked offline. While the attack surface is limited by the need for network adjacency and user interaction, the disclosure of NTLM hashes is a well-known stepping stone for lateral movement and privilege escalation in enterprise environments. The specific mechanism—abusing library-ms files to force outbound WebDAV connections—echoes previous NTLM relay techniques that Microsoft has patched in other components.
ZDI reported the vulnerability was reported to Microsoft on December 18, 2025, and acknowledged the same day. On March 4, 2026, Microsoft informed ZDI that the issue "did not meet the bar for security servicing," effectively declining to issue a patch. After notifying Microsoft of its intent to publish on April 13, 2026, ZDI released the advisory as a coordinated 0-day disclosure on April 21. The advisory credits researcher RootVector for discovering the flaw.
Microsoft's decision not to patch the vulnerability means that all supported versions of Windows remain exposed. The only mitigation offered by ZDI is to "restrict interaction with the product," a product"—a generic recommendation that offers little practical defense for users who must browse folders containing library-ms files. No CVE identifier has been assigned to the flaw, which is unusual for a publicly disclosed vulnerability and may complicate tracking.
This disclosure highlights a growing tension between Microsoft's security servicing bar and the expectations of the research community. The company has increasingly declined to patch vulnerabilities it deems low-severity or requiring user interaction, even when those flaws can be chained with other attacks. In this case, the NTLM leak could be combined with a relay tool like Impacket to authenticate as the victim on other services, potentially leading to broader compromise.
For defenders, the practical risk is highest in environments where users routinely access shared folders or network shares. Attackers who have already gained a foothold on an adjacent network segment could plant a malicious library-ms file in a commonly accessed directory and wait for a user to open it. The resulting NTLM hash could then be used to pivot to other systems. Until Microsoft changes its stance or a third-party mitigation emerges, organizations should consider blocking outbound WebDAV outbound traffic where possible and educating users about the risks of browsing untrusted folders.