vulnerable driver

AppWizard
June 25, 2026
Riot Games has introduced a new feature for its Vanguard anti-cheat system called Vanguard On-Demand, which allows the kernel driver to load only when a Riot game is launched and unload upon exit. This change ends the previous practice of loading the driver at Windows start-up, which has been in place since 2020. The new mode is supported by Windows 11 25H2 and requires specific hardware configurations, including UEFI Secure Boot, TPM 2.0, Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), and IOMMU. Approximately 35% of players currently meet these hardware requirements, while around 3% are using incompatible systems. Riot has created a checklist called Vanguard Pre-Check to help players determine if their systems qualify. The percentage of fully secured machines is estimated to be around 34.33% and is increasing monthly. Players whose systems do not meet the criteria will need to make manual adjustments in their BIOS. Vanguard On-Demand mode will be available for players on Windows 11 starting later today. The feature is based on Microsoft’s Runtime Driver Attestation Report, which tracks driver activity since boot and helps ensure no vulnerable drivers have been loaded while Vanguard is inactive. Riot Games has required TPM 2.0 and Secure Boot on Windows 11 since 2020 and has faced criticism for these requirements. Enabling VBS and HVCI may affect frame rates and could disable older peripheral drivers due to Microsoft's vulnerable driver blocklist.
Winsage
June 1, 2026
Microsoft resolved an issue causing installation failures and error code 0x800f0922 during the deployment of the May 2026 Windows 11 security update (KB5089549), which was linked to insufficient free space on the EFI System Partition (ESP). The problem mainly affected devices with 10 MB or less available space, leading to automatic rollbacks of the update. The resolution was provided through the release of the Windows 11 KB5089573 preview cumulative update on May 26, 2026. Users installing updates released on or after this date will not need a workaround, while those with earlier updates can use the Known Issue Rollback feature. Additionally, IT administrators in enterprise settings can manually address the issue through Group Policy configurations. The KB5089573 update introduced 30 changes to improve performance and reliability.
Winsage
May 18, 2026
Microsoft has acknowledged a significant issue with the May 2026 Windows 11 security update, KB5089549, where users are encountering difficulties in installation, specifically the 0x800f0922 error code. This issue is primarily due to insufficient free space on the EFI System Partition (ESP), especially for devices with 10 MB or less available. The installation may fail during the reboot phase at around 35–36% completion, with users receiving notifications like "Something didn't go as planned. Undoing changes." Log entries may indicate insufficient ESP free space, such as "SpaceCheck: Insufficient free space" and "ServicingBootFiles failed. Error = 0x70." Microsoft recommends affected users utilize the Known Issue Rollback feature to reverse problematic updates and advises IT departments to install and configure the relevant Group Policy to address the issue.
Winsage
May 10, 2026
Microsoft's April 2026 Windows security update, KB5083769, may disrupt image-mount operations for backup applications such as Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup due to the addition of the psmounterex.sys kernel driver to its Vulnerable Driver Blocklist. This action was taken to address a high-severity buffer overflow vulnerability, CVE-2023-43896. The inclusion of this driver in the blocklist has rendered several backup products inoperable, and Microsoft will not retract the block for security reasons. Administrators can use Event ID 3077 in the Code Integrity log to confirm that the blocklist is causing the failures. Microsoft advises updating backup applications to versions that include necessary driver protections instead of uninstalling or pausing the security patch. Additionally, the April updates have caused other issues, such as failures in Windows Server installations and devices booting into BitLocker recovery mode.
Winsage
May 8, 2026
A recent Windows update, KB5083769, released on April 14, 2026, blocks the psmounterex.sys driver, disrupting the functionality of third-party backup software like Acronis Cyber Protect Cloud, Macrium Reflect, and NinjaOne. This driver is essential for loading and mounting backup storage images. Users may encounter errors related to Microsoft VSS during backup attempts. The update is a security enhancement, not a bug, and users are advised to upgrade their backup software to versions that use a newer driver or temporarily uninstall the KB5083769 update. It is recommended to check for updates from the backup software provider and pause Windows Updates to prevent automatic reinstallation of the problematic update until a fix is available.
Winsage
May 5, 2026
Microsoft will include the psmounterex.sys driver in its Vulnerable Driver Blocklist in the April 2026 security update, affecting third-party backup applications that use this driver for image mounting and Volume Shadow Copy Service (VSS) snapshots. This decision addresses CVE-2023-43896, a critical buffer overflow vulnerability. Affected software includes Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup on Windows 11, Windows 10, and Windows Server platforms. Users may face issues during image-mount operations, receiving error messages related to VSS timeouts and Code Integrity errors in the Event Viewer. To check if a system is affected, users can look for Event ID 3077 in the Code Integrity Operational log. Microsoft recommends upgrading to newer versions of backup applications that do not use blocked drivers and advises against uninstalling or delaying the April update. Additionally, the update may cause certain Windows Server 2025 devices to boot into BitLocker recovery mode and has led to out-of-band updates for Windows Server update failures and restart loops on domain controllers.
Winsage
May 5, 2026
Microsoft's Defender anti-malware tool update version 1.449.425.0 removed two DigiCert root digital certificates, leading to false positives that flagged them as severe malware (Trojan:Win32/Cerdigent.A!dha). This incident was later identified as a false positive, and updating to version 1.449.430.0 or later reinstates the certificates. The issue may be linked to a DigiCert employee encountering disguised malware. Additionally, Windows updates from April 14 caused third-party backup applications to malfunction due to the addition of vulnerable psmounterex.sys kernel driver versions to a blocklist. Users experienced difficulties with mounting backup image files, and Microsoft referenced a vulnerability rated 9.3 out of 10 in the driver. Other affected software includes Acronis Cyber Protect Cloud and UrBackup server. Microsoft has not explained the delay in adding the vulnerable driver to the blocklist, and other recent update-related issues have also been reported.
Winsage
May 4, 2026
Microsoft has acknowledged that the April 2026 security updates have disrupted the functionality of various third-party backup applications using the psmounterex.sys driver, raising concerns among users. The issue primarily affects software leveraging the Volume Shadow Copy Service (VSS) snapshots, leading to failures due to VSS service timeouts. Notable impacted products include Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup, used on Windows 11, Windows Server, and Windows 10 devices. Disruptions can manifest as failures to mount backup image files, errors or timeouts when browsing or restoring from backup images, and error messages related to VSS timeouts. Microsoft updated its support documentation to clarify that the April updates included a security hardening change that added psmounterex.sys to the vulnerable driver blocklist to protect against a high-severity buffer overflow vulnerability (CVE-2023-43896). Affected users are advised to upgrade to newer application versions with updated drivers and not to uninstall or pause the security update. Users can check if the Microsoft Vulnerable Driver Blocklist is blocking a driver by looking for Event ID 3077 in the Code Integrity Operational log. Additionally, Microsoft has alerted users that some Windows Server 2025 devices may boot into BitLocker recovery mode after installing the KB5082063 update and has issued out-of-band updates to address installation failures and restart loops affecting Windows Server systems after the April 2026 updates.
Winsage
March 31, 2026
Microsoft will eliminate default trust for kernel drivers signed through the outdated cross-signed root program with the April 2026 Windows update. All new kernel drivers must be certified via the Windows Hardware Compatibility Program (WHCP). This change will affect Windows 11 builds 24H2, 25H2, and 26H1, as well as Windows Server 2025, with future versions following the same standards. The update will begin in evaluation mode, monitoring driver loads for compliance before transitioning to enforcement mode. An allow list of reputable drivers will be maintained for legacy hardware, and enterprises can use Application Control for Business policies to authorize specific drivers. Users with older hardware may face compatibility issues if their drivers are not WHCP-certified.
Tech Optimizer
March 16, 2026
A crypto miner virus, or cryptojacking malware, secretly uses a device’s CPU or GPU to mine cryptocurrency for an attacker, leading to increased electricity costs and potential hardware damage for the victim. It typically infects devices through phishing emails, pirated software, compromised websites, and malicious browser extensions. Monero is the preferred cryptocurrency for mining due to its efficiency on standard CPUs and privacy features. Signs of infection include overheating, high CPU usage, and increased electricity bills. Detection involves monitoring system performance and running antivirus scans. Prevention includes using antivirus software, keeping systems updated, and avoiding pirated software. Notable incidents include attacks on a European water utility and the Los Angeles Times website.
Search