The H2 2026 EOL Pileup: Seven Major Deadlines in Six Months
The second half of 2026 is one of the most crowded end-of-life stretches in recent memory. Between September 7 and December 31, seven major deadlines land across the stack: OpenSSL 3.0, Oracle JDK 17, Windows Server 2012/R2's final ESU year, Python 3.10, .NET 8 and .NET 9 on the same day, PostgreSQL 14, and PHP 8.2. Most teams are exposed to at least two. Below: what stops, who is affected, and the action plan for each date.
The Wall Already Started Falling in July
The first section of the wall came down two days ago. On July 14, 2026, SharePoint Server 2016, SharePoint Server 2019, and SQL Server 2016 all reached Microsoft end of support on the same day. Deep dives: the SharePoint 2016/2019 double cutoff and SQL Server 2016 end of support. July was the warning shot. The next six months are the barrage.
September 2026 — The Cryptography and Java Deadlines
September 7: OpenSSL 3.0
What stops: Security fixes for the OpenSSL 3.0 LTS series — after September 7, new CVEs go unpatched upstream. Who's affected: Far more systems than any inventory shows: OpenSSL ships inside operating systems, container base images, appliances, and language runtimes, giving this EOL the widest blast radius on the list.
Action plan: Audit everything that links against OpenSSL, not just "servers running it." Container images are the usual blind spot — rebuild on current bases and much of the problem solves itself. For anything pinned to 3.0 directly, move to a supported series (3.1 through 4.0). Details: OpenSSL 3.0 page, OpenSSL overview.
September 30: Oracle JDK 17
What stops: Oracle's support window for JDK 17, the LTS release much of enterprise Java standardized on in 2021–2022 — no further updates under standard terms after September 30. Who's affected: Any organization running Java 17 on Oracle's build, with licensing consequences as well as security ones.
Action plan: Upgrade to a newer LTS — Java 21 or later — and use the forced migration to re-evaluate whether you need Oracle's build at all; OpenJDK-based distributions run the same workloads without the licensing exposure. See our Java licensing deep dive, the JDK 17 page, and the Oracle JDK overview.
October 2026 — The Hardest Deadline of the Year
October 13: Windows Server 2012 and 2012 R2 — The Final ESU Cliff
What stops: Everything. Extended support ended in October 2023; coverage has continued only through paid Extended Security Updates, and October 13, 2026 ends the third and final ESU year. There is no Year 4 — no patches at any price, through any channel. Who's affected: Organizations that paid three years of ESU fees precisely because migration was hard — the systems still standing are, almost by definition, the hardest to move.
Action plan: This deadline cannot be bought off. Triage now: migrate what can be migrated to a supported release, rehost what can be rehosted, and isolate — aggressively, at the network layer — whatever must survive past October. Full framework: our ESU cliff deep dive; version pages: 2012, 2012 R2, Windows Server overview.
October 31: Python 3.10
What stops: Security fixes for Python 3.10. After October 31, it joins 3.9 and earlier as permanently unpatched. Who's affected: Data pipelines, ML tooling, and long-lived services built in the 2021–2022 window — plus every Docker image still pulling a python:3.10 base.
Action plan: Usually the cheapest upgrade on this list: move to a supported release (3.11 through 3.14), run the test suite, and update CI matrices and base images. The main friction is compiled dependencies pinned to old wheels — surface those early. See our Python end of life guide, the Python 3.10 page, and the Python overview.
November 2026 — Two Platforms and a Database in 48 Hours
November 10: .NET 8 and .NET 9 — Both on the Same Day
What stops: Two .NET versions at once — .NET 8's three-year LTS window and .NET 9's 18-month STS window converge on a single Patch Tuesday. Who's affected: Everyone not already on .NET 10 — LTS-conservative shops and current-release adopters hit the wall together, making this one of the largest single-day EOL events of 2026.
Action plan: The destination is the same for everyone: .NET 10, released November 2025. From 8 or 9 the upgrade is typically a target-framework bump and dependency refresh, not a rewrite — budget for testing, not porting. Full breakdown in our .NET EOL 2026 deep dive; dates: .NET 8, .NET 9, .NET overview.
November 12: PostgreSQL 14
What stops: PostgreSQL 14's five-year support window closes on November 12 — no further security or bug-fix releases. Who's affected: Anyone who provisioned a database in 2021–2022 and hasn't touched the major version since — a huge share of production, because working databases don't get upgraded voluntarily.
Action plan: Database major-version upgrades need lead time, so two days after the .NET deadline is exactly the wrong week to start. Begin now: pick a supported target (15 through 18), test with pg_upgrade or logical replication, and validate extensions first — they are the usual blocker. See our PostgreSQL end of life guide, the PostgreSQL 14 page, and the PostgreSQL overview.
December 2026 — The Year-End Deadline
December 31: PHP 8.2
What stops: Security support for PHP 8.2 — from January 1, 2027, new vulnerabilities go unpatched. Who's affected: A very large slice of the web: agencies, hosting customers, and CMS-driven sites where the PHP version was set at launch and never revisited.
Action plan: Upgrade to PHP 8.3 or later (8.5 is current); within the 8.x line this is normally a low-friction jump. A December 31 deadline means the real cutoff is mid-December, before change freezes — do not let this one slip into the holiday window. Deep dive: PHP 8.2 end of life; dates: PHP 8.2 page, PHP overview.
Master Timeline: Every H2 2026 Deadline
| Date | Product | What Ends | Deep Dive |
|---|---|---|---|
| Jul 14, 2026 | SharePoint Server 2016 & 2019 | Microsoft end of support Passed | SharePoint double cutoff |
| Jul 14, 2026 | SQL Server 2016 | Extended support ends; paid ESU only Passed | SQL Server 2016 EOL |
| Sep 7, 2026 | OpenSSL 3.0 | Security fixes for the 3.0 LTS series end | — |
| Sep 30, 2026 | Oracle JDK 17 | Oracle support window closes | Java licensing deep dive |
| Oct 13, 2026 | Windows Server 2012 / 2012 R2 | Final ESU year ends — no patches at any price | The ESU cliff |
| Oct 31, 2026 | Python 3.10 | Security-only support ends | Python EOL guide |
| Nov 10, 2026 | .NET 8 and .NET 9 | LTS and STS support end on the same day | .NET EOL 2026 |
| Nov 12, 2026 | PostgreSQL 14 | Five-year support window closes | PostgreSQL EOL guide |
| Dec 31, 2026 | PHP 8.2 | Security support ends | PHP 8.2 EOL |
How to Survive Q3/Q4 2026
Seven deadlines in four months is not a problem you solve one Patch Tuesday at a time — it needs a single planning pass now, in July.
- Inventory first. Point the endoflife.ai scanner at your dependency manifests to surface every affected component — including the OpenSSL and Python versions hiding inside container images.
- Verify each version. "We're on Postgres" is not an answer; "PostgreSQL 14, EOL November 12" is. The EOL checker gives the exact date and risk level for any product and version.
- Put the dates on the calendar. Every product page offers an .ics download with reminders ahead of each deadline — subscribe your team calendar so no date arrives as a surprise.
- Sequence by hardness, not by date. The Windows Server 2012 cliff is absolute; PHP 8.2 is routine. Spend scarce engineering weeks on deadlines that cannot be extended, and fold the routine ones into sprint work before the December change freeze.
- Use extended support as a bridge, not a plan. Third-party extended support can keep patches flowing while a migration finishes — it buys time, not a future. See our extended support vendors page.
Frequently Asked Questions
Do .NET 8 and .NET 9 really go end of life on the same day?
Yes. .NET 8 (LTS) and .NET 9 (STS) both reach end of life on November 10, 2026. The upgrade target for both is .NET 10.
What happens to Windows Server 2012 after October 13, 2026?
October 13, 2026 ends the third and final Extended Security Update year for Windows Server 2012 and 2012 R2. After that, no security updates at any price — there is no Year 4 ESU. It is the one deadline here that cannot be extended.
Which H2 2026 deadline is the most dangerous?
OpenSSL 3.0 (September 7) has the widest blast radius — it is embedded rather than installed deliberately, so most affected systems appear in no inventory. The Windows Server 2012 ESU cliff (October 13) is the hardest, with no paid extension beyond it.
How do I find out which of these deadlines affect my stack?
Scan your dependency manifests with the scanner, verify versions with the EOL checker, and subscribe to the .ics reminders on each product page. If a migration won't finish in time, extended support can bridge the gap.