Full Report
Microsoft has confirmed that the April 2026 security updates are causing failures in third-party backup applications using the psmounterex.sys driver. [...]
Analysis Summary
# Vulnerability: Privilege Escalation in psmounterex.sys (Vulnerable Driver Blocklist Enforcement)
## CVE Details
- **CVE ID**: CVE-2023-43896
- **CVSS Score**: Not explicitly listed in text, but categorized as **High Severity**.
- **CWE**: CWE-120 (Buffer Overflow)
## Affected Systems
- **Products**: Windows 10, Windows 11, Windows Server (various versions including Windows Server 2025).
- **Versions**: Systems that have installed the **April 2026 Security Updates** (e.g., KB5083769).
- **Configurations**: Systems running third-party backup software that utilizes the **psmounterex.sys** kernel driver, specifically:
- Macrium Reflect
- Acronis Cyber Protect Cloud
- UrBackup Server
- NinjaOne Backup
## Vulnerability Description
The vulnerability stems from a high-severity buffer overflow within the `psmounterex.sys` kernel driver. This flaw allows an attacker to escalate privileges or execute arbitrary code at the kernel level. In response, Microsoft updated the **Vulnerable Driver Blocklist** via the April 2026 security updates to prevent this driver from loading. While this secures the OS, it causes functional failures in backup applications that rely on the blocked driver for mounting virtual drives or managing VSS (Volume Shadow Copy Service) snapshots.
## Exploitation
- **Status**: Vulnerability is known; blocklist enforcement is proactive mitigation by Microsoft.
- **Complexity**: Not specified (implied Low to Medium for buffer overflows in drivers).
- **Attack Vector**: Local (typically requires local access to exploit a driver for privilege escalation).
## Impact
- **Confidentiality**: High (Potential for full system compromise via kernel-level execution).
- **Integrity**: High (Potential for arbitrary code execution).
- **Availability**: High (The *mitigation* causes availability issues for backup services; the *exploit* could cause system crashes/BSOD).
## Remediation
### Patches
- Microsoft recommends **not** uninstalling the April 2026 security updates (KB5083769 / KB5082063).
- Users should update their third-party backup applications to versions that use newer, patched drivers that satisfy Microsoft's security hardening requirements.
### Workarounds
- There are no recommended workarounds that involve bypassing the blocklist, as this would re-expose the system to CVE-2023-43896.
- Temporary mitigation involves performing full image backups (which may still succeed) while avoiding "mount" or "browse" operations until the software is updated.
## Detection
- **Indicators of Compromise/Failure**:
- **VSS Timeouts**: Errors such as `VSS_E_BAD_STATE` or "Microsoft VSS has timed out."
- **Event Logs**: Look for **Event ID 3077** in the Code Integrity Operational log.
- **Detection Method**:
- Navigate to: `Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational`.
- Check for Policy ID `{D2BDA982-CCF6-4344-AC5B-0B44427B6816}` which confirms `psmounterex.sys` was blocked.
## References
- Microsoft Support KB5083769: hxxps[:]//support[.]microsoft[.]com/en-us/topic/april-14-2026-kb5083769
- Microsoft Vulnerable Driver Blocklist: hxxps[:]//learn[.]microsoft[.]com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
- NVD CVE-2023-43896: hxxps[:]//nvd[.]nist[.]gov/vuln/detail/CVE-2023-43896