Debian 12 is EOL as of today.
Here's your actual situation.
Today — July 11, 2026 — Debian 12 "Bookworm" reaches the end of its regular security support. The Debian security team has shipped its final advisories for Bookworm; from today, responsibility shifts, coverage narrows, and the clock that matters to your compliance auditor has formally run out. If you run Debian 12 in production, here is precisely what changed overnight, what didn't, and the three paths forward.
What actually stops today
Debian's model gives each release roughly three years of full support from the security team. Bookworm shipped on June 10, 2023, and that window closes today. Specifically:
- Debian security team advisories (DSAs) for Bookworm end. The full-coverage, all-architectures, all-packages security guarantee is over.
- Point releases end. No further 12.x updates roll up fixes.
- The compliance answer changes. "Is this OS vendor-supported?" now requires an asterisk — and frameworks like PCI DSS don't love asterisks.
What doesn't stop (and where the trap hides)
Debian is gentler than most: Bookworm now enters Debian LTS, where a separate volunteer/funded team continues security fixes until roughly June 2028 — but only for a subset of architectures and packages. The trap is in that subset: LTS coverage is narrower than full support, exclusions are published package-by-package, and if something you depend on falls outside it, you're unpatched without noticing. Treat LTS as a managed bridge, not a continuation of the status quo — and verify your critical packages are actually covered.
Your three paths, honestly ranked
1. Upgrade to Debian 13 "Trixie" (the default answer). Trixie shipped August 9, 2025 — it's had nearly a year of stabilization, and the in-place apt upgrade path from 12 is well-documented and generally uneventful for standard workloads. It resets your clock for years. Most teams should simply schedule this.
2. Ride Debian LTS deliberately. Legitimate when you have Bookworm-pinned dependencies that can't move yet — but do it as a decision, not a drift: confirm your architecture and critical packages are in LTS coverage, put the June 2028 end date in your roadmap, and document the residual risk.
3. Commercial extended support. If you're stuck on 12 (or still on 11) with compliance requirements the community LTS subset can't satisfy, commercial vendors provide fuller extended coverage. Tell us what you're running and we'll match you with a vetted provider — free, within one business day.
The wider week this lands in
Bookworm's EOL headlines an unusually brutal stretch of the EOL calendar: June 30 alone retired Spring Boot 3.5, Spring Framework 6.2, Amazon Linux 2, Kubernetes 1.33's upstream line, and MariaDB 10.6 followed on July 6. Next Tuesday, SharePoint 2016 and 2019 both exit support on the same day. If your patch dashboard looks quiet this month, it isn't because nothing happened.
Check any product's real status in seconds with the EOL Checker — it regenerates from live lifecycle data at every build — or see the full Debian release timeline for every version's dates. And if today's news is your problem: the complete Debian 12 action guide covers upgrade paths and pitfalls in depth.