Microsoft April 2026 Updates Block Vulnerable Driver, Disrupt Third‑Party Backup Applications
What Happened — Microsoft’s April 2026 cumulative updates added the kernel driver psmounterex.sys to its Vulnerable Driver Blocklist (mitigating CVE‑2023‑43896). The block prevents the driver from loading, causing VSS‑based backup products to fail when mounting or restoring images. Affected vendors include Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup on Windows 10/11/Server.
Why It Matters for TPRM —
- Backup continuity is a core resilience control; interruptions can delay recovery and increase exposure.
- The incident shows how security hardening can unintentionally break third‑party integrations, creating supply‑chain risk.
- Organizations must verify that their backup providers have released compatible updates or alternative drivers.
Who Is Affected — Enterprises that rely on VSS‑based image backups across any industry (finance, healthcare, SaaS, etc.) and run Windows 10/11 or Windows Server with third‑party backup software.
Recommended Actions —
- Identify whether your backup solution uses the psmounterex.sys driver.
- Deploy vendor‑provided updates that replace the driver or adjust configurations.
- Test backup and restore workflows after patching; monitor Code Integrity logs for Event ID 3077.
Technical Notes — The blocklist mitigates a high‑severity buffer‑overflow (CVE‑2023‑43896) that could allow privilege escalation. Failures appear as VSS time‑outs, VSS_E_BAD_STATE errors, and inability to mount backup images. Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-backup-failures-caused-by-vulnerable-driver-block/