Market Reference — Extended Support

Extended Support Vendors,
Compared

Updated July 13, 2026 · endoflife.ai · Market Reference · Extended Lifecycle Support

When software reaches end of life, the original vendor stops shipping security patches — but a market of extended-lifecycle-support vendors has grown up specifically to fill that gap, backporting CVE fixes for a fee so teams can keep running EOL software safely while they plan a migration on their own schedule. This page is a neutral reference to that market, organized by coverage area, so you know what exists before you start evaluating anyone.

Market Overview by Coverage Area

Coverage Area What It Covers Typical Buyer Vendors Active
EOL Linux distros CVE backports for OS packages after distro EOL (CentOS, Ubuntu, Debian, etc.) Infrastructure / platform teams with legacy hosts TuxCare, Canonical ESM, Red Hat ELS, SUSE Multi-Linux
EOL app frameworks / languages Security patches for EOL language runtimes and JS/web frameworks Application teams on legacy PHP, Node.js, AngularJS, etc. HeroDevs, TuxCare, OpenLogic
EOL Java JDK builds and security patches beyond vendor JDK EOL Teams running legacy JDK versions in production Azul, TuxCare, OpenLogic, Red Hat
EOL Windows / Microsoft Microsoft-only Extended Security Updates for Windows Server, SQL Server, and Windows client Enterprises on legacy Windows infrastructure Microsoft ESU (sole source)
Databases Security patching for EOL database engines and versions Teams unable to upgrade database major versions quickly TuxCare, OpenLogic, Azul (Java-adjacent), Red Hat ELS

Where endoflife.ai fits: we track the EOL dates and risk exposure across 460+ products and match teams with the right provider for their specific coverage need — free, no obligation. We don't sell extended support ourselves; we route you to the vendor suited to your stack.

Not sure which category fits your stack?
Tell us what you're running and we'll match you with the right provider.
Free · no obligation · we match you with the right provider
Get Matched With a Provider →

EOL Linux Distros

This is the most mature corner of the extended-support market. When a distribution like CentOS, Ubuntu LTS, or Debian reaches EOL, its package repositories stop receiving security fixes, but the binaries themselves keep running exactly as before — which is precisely why this category exists. Vendors here backport CVE fixes into the existing package set without requiring a distro upgrade, so the honest tradeoff is: you avoid the disruption of an OS migration in the short term, but you're paying an ongoing fee for a distribution that will eventually need to be replaced anyway, and CVE coverage scope varies by vendor and package set — verify what's actually included before assuming full parity with the original vendor's patch stream.

Running an EOL Linux distro?

Get matched with a provider suited to your distro and version.

Free · no obligation · we match you with the right provider
Get Matched →

EOL App Frameworks & Languages

This category covers EOL language runtimes (like PHP 7.x) and EOL frontend/backend frameworks (like AngularJS). It's a newer, faster-growing part of the market than Linux ESU, largely because modern web applications accumulate framework-version debt quickly and rewrites are expensive. The honest tradeoff here is sharper than in Linux: framework-level patching is inherently narrower in scope than OS-level patching, since a framework vendor is backporting fixes into application-layer code rather than isolated OS packages, so due diligence on exactly which CVE classes are covered matters more in this category than almost any other.

Running an EOL framework or language runtime?

Get matched with a provider suited to your stack.

Free · no obligation · we match you with the right provider
Get Matched →

EOL Java

Java has a distinct extended-support ecosystem because of how JDK distributions work: several vendors ship their own OpenJDK builds with independent support timelines, so "EOL Java" can mean different things depending on which JDK distribution you're actually running. Vendors in this space typically offer both continued JDK builds and CVE patching for versions the original distributor has stopped supporting. The tradeoff to weigh honestly: switching JDK vendors entirely (rather than buying extended support for your current one) is sometimes the simpler and cheaper path, since JDK compatibility across vendors is generally strong — extended support is most valuable when you're locked to a specific vendor's build for certification or contractual reasons.

Running an EOL Java version?

Get matched with a provider suited to your JDK distribution.

Free · no obligation · we match you with the right provider
Get Matched →

EOL Windows / Microsoft

This category is structurally different from the rest: for Windows Server, Windows client, and SQL Server, Extended Security Updates are sold only by Microsoft — there is no third-party vendor offering an equivalent, sanctioned patch stream for the underlying OS or database engine itself. The honest tradeoff is narrower than elsewhere in this market: your real decision isn't which vendor to pick, it's whether to buy Microsoft's ESU program (via Azure Arc or volume licensing), migrate to a supported version, or move the workload to a cloud platform where the version-lifecycle problem is handled for you. Third-party extended-support vendors do operate around the edges of the Microsoft ecosystem — for software running on top of Windows, for instance — but not for Microsoft's own ESU-gated products.

Running EOL Windows Server, Windows client, or SQL Server?

Get matched with the right path for your Microsoft stack.

Free · no obligation · we match you with the right provider
Get Matched →

Databases

Database extended support spans open-source engines (MySQL, PostgreSQL, MariaDB) and, indirectly, database-adjacent Java runtimes where the database itself runs on a JVM. The buying calculus tends to be more conservative here than in other categories, because databases sit closer to the data itself — teams weigh the operational risk of an unpatched database engine against the operational risk of a major-version upgrade that could affect query behavior or compatibility with existing application code. The honest tradeoff: extended support buys time to test a database upgrade properly rather than rushing it, but it doesn't reduce the eventual migration effort — it only delays it.

Running an EOL database version?

Get matched with a provider suited to your database engine.

Free · no obligation · we match you with the right provider
Get Matched →

Frequently Asked Questions

What is an extended-lifecycle-support vendor?

A company that continues shipping security patches for software after its original vendor has stopped — for a fee. Coverage typically includes CVE-driven backports for a defined period after end of life, without requiring an upgrade to a newer, supported version.

Is extended support the same across every category?

No. Coverage, pricing models, and typical buyers differ significantly between EOL Linux distributions, app frameworks and languages, Java, Windows/Microsoft ESU, and databases. A vendor strong in one category is not automatically the right fit for another.

Does endoflife.ai sell extended support directly?

No. endoflife.ai tracks end-of-life dates and risk exposure across 460+ products and matches teams with an appropriate extended-support or migration provider. The matching is free and comes with no obligation.

How do I know if I need extended support instead of just migrating?

It depends on your risk window and the workload's exposure. If a migration can complete before compliance or security risk becomes unacceptable, migration alone may be sufficient. If not — especially for compliance-critical or internet-facing workloads — extended support is typically used as a bridge while migration proceeds.

Ready to find the right extended-support provider for your stack?

We track the dates and match you with the right provider for your situation.

Free · no obligation · we match you with the right provider
Get Matched → Browse the full product index

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.