HeroDevs Blog | .NET End-of-Life (EOL) Dates: What You Need to Know

For Qualys admins, NES for .NET directly resolves the EOL/Obsolete Software: Microsoft .NET Version 6 Detected vulnerability, ensuring your systems remain secure and compliant. Fill out the form to get pricing details and learn more.

.NET has been one of the most widely deployed application platforms in the world since .NET Core 1.0 launched in June 2016 as Microsoft's cross-platform, open-source reimagining of the .NET Framework. Beginning with .NET 5, Microsoft dropped the "Core" branding entirely, but the lineage is continuous: .NET Core 1.0 through 3.1, then .NET 5 through today's .NET 10, with .NET 11 arriving in November 2026.

That continuity comes with a relentless lifecycle. Microsoft ships a new major version every November, and support windows are short: three years for Long-Term Support (LTS) releases and 24 months for Standard-Term Support (STS) releases. The result is a calendar where something important is always expiring. Right now, the date that matters most is November 10, 2026, when .NET 8 and .NET 9 both reach end of life on the same day.

This guide is the definitive reference for every .NET Core and modern .NET release, its support timeline, the CVEs affecting versions past end of life, and what your options are if you cannot migrate before the deadline.

‍

How .NET's Support Policy Works

Microsoft publishes new major versions of .NET every November and alternates between two release types:

Long-Term Support (LTS): Even-numbered releases (.NET 6, 8, 10). Supported for three years from general availability.
Standard-Term Support (STS): Odd-numbered releases (.NET 5, 7, 9, 11). Originally supported for 18 months; in September 2025 Microsoft extended STS support to 24 months, effective with .NET 9.
End of Life (EOL): Also called end of support (EOS). Microsoft no longer provides fixes, updates, or technical assistance of any kind.

Two policy details matter in practice. First, starting with .NET Core 3.1, end-of-life dates align with Microsoft Patch Tuesday (the second Tuesday of the month), which is why EOL dates land on dates like November 10 rather than a release anniversary. Second, to remain in a supported state you must be running the latest patch release of your major version. An application on 8.0.15 is technically out of support policy even though .NET 8 itself is supported; Microsoft expects you to be on the latest 8.0.x.

The STS extension to 24 months produced an unusual side effect: .NET 9's extended window now ends on exactly the same day as .NET 8's LTS window. Microsoft's announcement was explicit that .NET 8 and .NET 9 reach end of support on the same day, November 10, 2026. Teams on both tracks face the same deadline.

‍

Complete .NET Version Timeline

Version	Type	Release Date	End of Life	Status	Key Feature
.NET 11	STS	Expected November 2026	Expected late 2028	Expected	Runtime Async on by default, CoreCLR for WebAssembly and Android
.NET 10	LTS	November 11, 2025	November 14, 2028	Active	Current LTS, supported through 2028
.NET 9	STS	November 12, 2024	November 10, 2026	Expiring soon	First STS with 24-month support window
.NET 8	LTS	November 14, 2023	November 10, 2026	Expiring soon	Native AOT maturity, Blazor unified model
.NET 7	STS	November 8, 2022	May 14, 2024	EOL	Rate limiting APIs, performance work
.NET 6	LTS	November 8, 2021	November 12, 2024	EOL	Minimal APIs, hot reload, unified platform
.NET 5	STS	November 10, 2020	May 10, 2022	EOL	First release to drop "Core" branding
.NET Core 3.1	LTS	December 3, 2019	December 13, 2022	EOL	Final ".NET Core" branded release
.NET Core 3.0	STS	September 23, 2019	March 3, 2020	EOL	WPF and Windows Forms support
.NET Core 2.2	STS	December 4, 2018	December 23, 2019	EOL	Health checks, endpoint routing
.NET Core 2.1	LTS	May 30, 2018	August 21, 2021	EOL	Span<T>, HttpClientFactory
.NET Core 2.0	STS	August 14, 2017	October 1, 2018	EOL	.NET Standard 2.0
.NET Core 1.1	STS	November 16, 2016	June 27, 2019	EOL	Expanded OS support
.NET Core 1.0	LTS	June 27, 2016	June 27, 2019	EOL	First cross-platform .NET

Source dates verified against endoflife.date/dotnet and Microsoft's official .NET support policy.

‍

Versions Reaching EOL Next: What to Watch

.NET 8 End of Life: November 10, 2026

.NET 8 is the version most enterprises standardized on, and its three-year LTS window closes on November 10, 2026. After that date, Microsoft ships no further patches of any kind, including for vulnerabilities like the one disclosed in October 2025:

CVE-2025-55315 (CVSS 9.9): An HTTP request smuggling flaw in Kestrel, ASP.NET Core's built-in web server. Microsoft's .NET security lead described the score as the highest ever assigned to an ASP.NET Core vulnerability. By hiding one HTTP request inside another, an attacker can bypass security controls, enabling credential spoofing, CSRF protection bypass, and injection attacks. Affected: ASP.NET Core 8.0.0 through 8.0.20 (fixed in 8.0.21), 9.0.0 through 9.0.9 (fixed in 9.0.10), and 6.0.x, which received no official fix because .NET 6 was already past end of life. Microsoft's advisory did not list .NET 6 at all; HeroDevs security engineers independently reproduced the exploit within hours of disclosure and confirmed .NET 6 is vulnerable, publishing an open-source reproduction tool. See the vulnerability directory entry and our full analysis of CVE-2025-55315.

CVE-2025-55315 is a preview of what November 2026 looks like for .NET 8. The April 2026 Patch Tuesday already demonstrated the monthly rhythm that will continue after .NET 8's window closes:

CVE-2026-32178: A high-severity SMTP header injection flaw in System.Net.Mail (CWE-138, improper neutralization of special elements), titled by Microsoft as a .NET remote code execution vulnerability. Affects .NET 8, 9, and 10, plus .NET Framework; fixed in 8.0.26, 9.0.15, and 10.0.6. HeroDevs confirmed the flaw is also present in .NET 6, which will never receive a Microsoft fix. Directory entry and full write-up.
CVE-2026-26171 (CVSS 7.5): A network-accessible denial-of-service vulnerability in the EncryptedXml class within System.Security.Cryptography.Xml, requiring no authentication or user interaction. Affects .NET 8, 9, and 10, plus .NET Framework; fixed in 8.0.26, 9.0.15, and 10.0.6. Directory entry and full write-up.
CVE-2025-24070 (CVSS 7.0): A weak authentication flaw in Microsoft.AspNetCore.Identity. Calling RefreshSignInAsync with a different user than the one authenticated allowed session refresh as that other user, an elevation of privilege. Affected ASP.NET Core 8.0.0 through 8.0.13 (fixed in 8.0.14) and 9.0.0 through 9.0.2 (fixed in 9.0.3), plus all of 6.0.x. Directory entry.

If your dependency scanner is quiet today, it will not stay quiet. Patch Tuesday arrives every month whether or not your runtime is still eligible for it.

‍

.NET 9 End of Life: November 10, 2026

.NET 9 shipped in November 2024 as an STS release and benefited from Microsoft's extension of STS support from 18 to 24 months. The extension moved its end-of-life date from May 12, 2026 to November 10, 2026, the same day as .NET 8. Teams that adopted .NET 9 for current features and teams that stayed on .NET 8 for stability are converging on a single deadline, which concentrates migration demand (and consultant availability, and internal platform team bandwidth) into the same quarter.

.NET 9 shares the CVE exposure described above, including CVE-2025-55315 (fixed in 9.0.10), CVE-2026-32178 and CVE-2026-26171 (fixed in 9.0.15), and CVE-2025-24070 (fixed in 9.0.3).

‍

Already EOL: .NET 6 and .NET 7

.NET 6 reached end of life on November 12, 2024, and .NET 7 on May 14, 2024, yet vulnerability scanners still flag both constantly in enterprise environments. Qualys and similar tools report findings titled "EOL/Obsolete Software: Microsoft .NET Version 6 Detected," and there is no Microsoft patch that clears the finding.

The CVE record since then shows what unsupported means in practice. CVE-2025-55315 affects ASP.NET Core 6.0.0 through 6.0.36 (the final Microsoft build of .NET 6), and Microsoft's advisory provided fixes only for .NET 8, 9, and 10. The gap is wide enough that HeroDevs has submitted CVEs to MITRE specifically scoped to EOL .NET: CVE-2025-7326 documents the RefreshSignInAsync elevation-of-privilege flaw in .NET 6, which Microsoft's CVE-2025-24070 advisory did not cover because the version was already out of support.

The backlog accumulates quickly. The January 2025 Patch Tuesday alone left three unpatched findings on .NET 6: CVE-2025-21176 (CVSS 8.8, a buffer over-read remote code execution flaw also affecting 8.0.0 through 8.0.11), CVE-2025-21172 (an integer overflow and heap-based overflow exploitable via crafted files), and CVE-2025-21173 (local privilege escalation through insecure temporary file handling in the .NET SDK on Linux). Reach back to 2024 and the list grows with use-after-free remote code execution flaws like CVE-2024-38229 (an HTTP/3 race condition in ASP.NET Core) and CVE-2024-35264. Add the 2026 disclosures above, and every one of these is a permanent open finding on .NET 6 unless patched through a third party.

‍

Looking Ahead: .NET 11 (Expected November 2026)

.NET 11 is an STS release expected in November 2026, with previews shipping since February 2026 (Preview 4 arrived May 12, 2026). Headline changes include Runtime Async enabled by default for cleaner stack traces and lower overhead in async-heavy code, CoreCLR replacing Mono for WebAssembly and Android workloads, native Zstandard compression support, and C# 15 language work. For a deeper enterprise-focused breakdown, see our post on .NET 11 Preview 1.

Note the timing: .NET 11 arrives the same month .NET 8 and 9 expire. Teams hoping to skip .NET 10 and land directly on .NET 11 would be adopting a brand-new STS release, in production, during their migration crunch. Most enterprises will be better served targeting .NET 10 LTS, which is supported through November 14, 2028.

‍

What Happens After End of Life

When a .NET version reaches EOL, three things happen immediately:

Security patches stop. New CVEs disclosed against EOL versions go unpatched by Microsoft. CVE-2025-55315 is the clearest recent example: a CVSS 9.9 vulnerability where .NET 6 users were excluded from the fix because their version had expired eleven months earlier. Microsoft also stops issuing CVE advisories scoped to EOL versions, so the official record undercounts your actual exposure.
Platform compatibility degrades. Operating systems, container base images, TLS standards, and dependency ecosystems keep moving. Microsoft removes EOL versions from supported OS package feeds and stops producing updated container images, so even rebuilding an existing application gets harder over time.
Compliance audits flag it. SOC 2, PCI DSS, HIPAA, FedRAMP, and the EU Cyber Resilience Act all require supported software. Scanners like Qualys, Nessus, and Defender flag EOL .NET runtimes automatically, and "EOL/Obsolete Software" findings cannot be remediated with configuration changes. The finding persists until the runtime is upgraded or covered by a supported alternative.

‍

Options for EOL .NET Versions

1. Upgrade to .NET 10 LTS. The best long-term strategy for most teams. .NET 10 is supported through November 14, 2028, giving you a three-year runway. Microsoft's .NET Upgrade Assistant and the dotnet-outdated tool help identify breaking changes and incompatible packages early. Budget real time for dependency audits: the runtime upgrade is often the easy part, while third-party NuGet packages pinned to older target frameworks are where migrations stall.

2. Re-platform. Some organizations treat a .NET EOL event as the trigger for a larger architectural change, such as consolidating services or moving workloads to a different stack. This is the most expensive and slowest option, and it does not address the security gap in the interim.

3. Adopt commercial extended support. HeroDevs Never-Ending Support (NES) for .NET provides secure drop-in replacements for .NET 6, 8, and 9. NES coverage begins the day Microsoft's support ends, with no gap in patching. NES for .NET has already shipped fixes that Microsoft did not, including the CVE-2025-55315 patch for .NET 6 (delivered in NES release 6.0.39), along with remediations for CVE-2026-32178, CVE-2026-26171, CVE-2025-24070, CVE-2025-7326, CVE-2025-21176, CVE-2025-21172, CVE-2025-21173, CVE-2024-38229, and CVE-2024-35264. The full patch history is public in the NES for .NET release notes. HeroDevs is a member of the .NET Security Group, which provides advance CVE disclosure coordinated with Microsoft, so NES patches align with Patch Tuesday. Because the replacement is drop-in, scanners stop flagging unpatched CVEs and compliance findings can be closed without an emergency migration.

‍

Is My .NET Version Supported? Quick Reference

Version Range	Status as of June 2026	Recommended Action
.NET 10	Supported (LTS) until November 14, 2028	Stay current on 10.0.x patches
.NET 9	Supported until November 10, 2026	Plan migration to .NET 10 now, or line up NES for .NET
.NET 8	Supported until November 10, 2026	Plan migration to .NET 10 now, or line up NES for .NET
.NET 6, 7	EOL, unpatched CVEs accumulating	Migrate to .NET 10, or adopt NES for .NET 6
.NET 5 and .NET Core 1.0 to 3.1	EOL for 3+ years	Migrate; these versions miss years of fixes

‍

Frequently Asked Questions

When does .NET 8 support end?

.NET 8 support ends on November 10, 2026. As an LTS release, it received three years of support from its November 14, 2023 release date. After November 10, 2026, Microsoft ships no security patches, bug fixes, or technical support for .NET 8.

Is .NET 8 LTS?

Yes. .NET 8 is a Long-Term Support release with a three-year support window. LTS status does not extend past the published end-of-life date, however: .NET 8 reaches end of life on November 10, 2026 regardless of its LTS designation.

When does .NET 9 support end?

.NET 9 support ends on November 10, 2026. It is a Standard-Term Support release, and Microsoft's extension of STS support from 18 to 24 months (announced September 2025) moved its end-of-life date from May 12, 2026 to November 10, 2026, the same day as .NET 8.

What does "EOL/Obsolete Software: Microsoft .NET Version 6 Detected" mean?

This is a vulnerability scanner finding (commonly from Qualys) indicating a host is running .NET 6, which reached end of life on November 12, 2024. The finding cannot be remediated with a Microsoft patch because none exists. Your options are removing or upgrading the runtime, or replacing it with a supported drop-in alternative such as NES for .NET, which restores a patched, supported runtime and clears the underlying condition.

When is .NET 11 coming out?

.NET 11 is expected in November 2026 as a Standard-Term Support release. Public previews have been shipping since February 2026. Under the 24-month STS policy, .NET 11's end of life would fall in late 2028, twelve months after its successor ships, though Microsoft has not published an official date.

Should I upgrade from .NET 8 to .NET 10 or wait for .NET 11?

For most production workloads, .NET 10 is the right target. It is the current LTS release, supported through November 14, 2028, and it is stable today. .NET 11 will be a brand-new STS release arriving the same month .NET 8 support ends, leaving no validation runway before your deadline.

Does .NET Core 3.1 still receive security updates?

No. .NET Core 3.1 reached end of life on December 13, 2022, and its final release was 3.1.32. No version of .NET Core (1.0 through 3.1) receives updates from Microsoft.

‍

Taking Action

The .NET calendar for the next six months is unambiguous: on November 10, 2026, .NET 8 and .NET 9 both stop receiving patches, and every CVE disclosed afterward becomes a permanent finding on those versions. CVE-2025-55315 already demonstrated how that plays out, with .NET 6 users excluded from a CVSS 9.9 fix, and the April 2026 Patch Tuesday repeated the pattern.

If your migration to .NET 10 will land before November, you are in good shape; start the dependency audit now. If it will not, or if you are still running .NET 6 in production, HeroDevs Never-Ending Support for .NET keeps versions 6, 8, and 9 patched, compliant, and audit-ready while you migrate on your own schedule. Contact HeroDevs to discuss your options.

Share via: