Microsoft has confirmed that the security update released in April 2026 included the psmounterex.sys driver in its Vulnerable Driver Blocklist. This change causes some third-party backup programs that depend on the driver for mounting images and creating VSS snapshots to fail. The block was introduced to fix CVE-2023-43896, a high-severity buffer overflow vulnerability that could allow privilege escalation or arbitrary code execution.
Affected software includes Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup, all running on Windows 11, Windows 10, and Windows Server.
Full image backup creation may still succeed on affected systems. The failures happen specifically during image-mount operations, which means browsing backups or restoring from them will not work. Users might see the error message “The backup has failed because Microsoft VSS has timed out during the snapshot creation” or the error code VSS_E_BAD_STATE.
Event Viewer will display Code Integrity errors indicating that psmounterex.sys was blocked from loading. The relevant event to look for is Event ID 3077 with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816} in the Code Integrity Operational log.
If the event appears and mentions the psmounterex.sys driver in enforcement mode, your system is affected.
Microsoft recommends updating to a newer version of the affected backup application that utilizes drivers not listed on the blocklist. Uninstalling or pausing the April update is not advised, as the block addresses an actively exploitable vulnerability. Backup software vendors are expected to release updated versions with compliant drivers.
The April 2026 update has led to several issues, including problems beyond the backup driver block. Microsoft has confirmed that some Windows Server 2025 devices may boot into BitLocker recovery mode after installing KB5082063.
In addition, out-of-band updates were released to fix Windows Server update failures and restart loops on domain controllers caused by the April security updates.
The current situation demonstrates that a security fix functions as a “breaking change” which leads to system failure for apps that depend on the deleted driver because Microsoft added the dangerous driver to its blocklist.
The situation demonstrates a major problem because backup software still relied on drivers which contained security flaws and outdated components that proved dangerous for handling essential backup processes. Vendors should have delivered driver updates to their clients before this requirement emerged.
The user experience proves annoying because Windows updates always create a conflict between security and usability. ?
Yet again the burden to fix Microslop’s problem lies in the hands of the end-user and hope that the 3rd party backup app is updated to fix the block.
Moreover, Microsoft want to let users pick and choose when they want to activate Windows Updates rather than putting them on pause for a fixed period of time, but with this latest break they’re suggesting that putting April’s update on pause or uninstalling is not advised as it leaves open an exploit and should therefore be installed asap.
Mixed messages and more problems! And then you have ‘slop constantly badgering you to backup your stuff to their OneDrive storage.
Microsoft has disabled a driver that is known to be vulnerable and can circumvent Windows defences. But how is that “their” problem? What should they do? Leave your system wide open for attacks?
Third-party software must not compromise the security of the OS. Specially the software that uses kernel drivers.
Left Windows after 30 years using every version though out the years. Finally left permanently for Mac’s and a home built desktop running Ubuntu. Can’t say I miss Windows 11 one bit, not even a little. Every month it was a laundry list of fixes and many times something else broke. Sometimes I understand third party software breaking with an update happens with every OS. But its happening too frequently with Windows.
Linux has virtually no third-party software. Not to mention the fact that Linux frequently drops its own software.
Windows, on the other hand, offers strong guarantees that software will run just fine as long as you respect and use its APIs and guidelines properly.
Linux offers… Well, nothing really. Your application uses a library that’s been dropped? Goodbye.
Updating to the latest version of something is not always a viable solution.
Particularly for home users. Macrium prices increased 700% over the perpetual licence costs for a 4 pc home purchase. It’s now an annual subscription.
I run v6.3.1865. it just does backup/restore. None of the bloatware rubbish that comes with v7 and later. It’s total installed size is 127mb and runs one service all the time and one service when a backup is running.
v7 and later have the typical process and disk space explosions that developers love to do to customers. I have none of the forced components that are useless to me installed. Its the same old thing… Developers try to be everything to everybody but end up being nothing to nobody because they bloat their software and make it more about data collection than actual funtionality.
Image backups, file and folder backups, mounting and unmounting images work perfectly. This is on Windows 10. I do about a dozen backups every day. It just works. Unlike later versions which have been plagued with bugs.
Simplistically, Microsoft should just fix the 10s of thousands of bugs and vulnerabilities in their products instead of willy-nilly breaking things for people. It seems every month, without fail, Microsoft break multiple things and its getting worse not better
Idgit(s) @ MSoft saw psmounterex.sys v.8.1.7544 & earlier subject to CVE-2023-43896, IGNORING that it had been patched, with latest being v.8.0.7662.0, with no CVEs or detections on Virus Total. Rather than actually try to fix some of Windows more glaring vulnerabilities, someone(s) engaged in busywork, creating a new blocklist with semi-random drivers picked out of a hat so they could leave early for the weekend. But I’m sure it looked good to their know-nothing boss.
Hello, i hope that either Macrium or Microsoft finds a way to resolve that issue.
Macrium Reflect 8 (latest free version) is affected. The registry hack to disable the drivers blocklist does not work for me. So at the present, the only way to mount an image is to boot into Macrium Reflect (via usb or others).
Regards
@ARTHUR … Quote: “… security update scheduled for April 2026 will include …”
The April update has occurred. Do you mean May?
Ghacks is a technology news, analysis, and information website offering daily in-depth coverage of software, AI, gaming, operating systems, privacy, security, and consumer tech.
April 2026 Windows Update Breaks Third-Party Backup Software by Blocking Vulnerable Driver – gHacks
Home
Technology
April 2026 Windows Update Breaks Third-Party Backup Software by Blocking Vulnerable Driver – gHacks
Leave a Reply