JDK 25.0.2 Release Notes
Java™ SE Development Kit 25.0.2 (JDK 25.0.2)
Release date: January 20, 2026
The full version string for this update release is 25.0.2+10 (where "+" means "build"). The version number is 25.0.2. This JDK conforms to version 25 of the Java SE Specification (JSR 400 2025-09-16).
IANA TZ Data 2025b
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime at the time of the release of JDK 25.0.2 are specified in the following table:
| Java Family Version | Security Baseline (Full Version String) |
|---|---|
| 25 | 25.0.2+10 |
| 21 | 21.0.10+8 |
| 17 | 17.0.18+8 |
| 11 | 11.0.30+7 |
| 8 | 1.8.0_481-b10 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 25.0.2) be used after the next critical patch update scheduled for April 21, 2026.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
New Features
RMI will use TLS connections if the javax.rmi.ssl.SslRMIClientSocketFactory class is used. These connections now have TLS endpoint identification enabled by default. This may cause some previously-working TLS connections to fail. If this occurs, ensure that the certificate presented by the server has a Subject Alternative Name that matches the server's hostname. Alternatively, endpoint identification for RMI TLS connections can be disabled on the client side by setting the jdk.rmi.ssl.client.enableEndpointIdentification system property to false.
Notable Issues Fixed
G1, the default garbage collector, can again properly utilize Transparent Huge Pages (THP) on systems with the THP mode configured as madvise.
The issue preventing the option -XX:+UseTransparentHugePages from enabling THP has been resolved.
Other Notes
For the JDK11+ LTS families, the JDK will install into a version-specific installation directory by default. The installation directory of 11+ will have a - before the version-specific string to keep consistency with the past 11+ conventions per family. A junction, also known as a symlink for Windows, will also be created in a "latest" directory. It will point to the latest version of that family. Here is a breakdown example of installation and junction locations 11+ families:
| Version | Installation Directory | Junction Location |
|---|---|---|
| jdk25.0.2 | C:\Program Files\Java\jdk-25.0.2 |
C:\Program Files\Java\latest\jdk-25 |
| jdk17.0.18 | C:\Program Files\Java\jdk-17.0.18 |
C:\Program Files\Java\latest\jdk-17 |
| jdk11.0.30 | C:\Program Files\Java\jdk-11.0.30 |
C:\Program Files\Java\latest\jdk-11 |
Each junction will always point to the latest JDK of the matching LTS family. The junction for each family will be removed when the last JDK of the matching LTS family is uninstalled.
jcmd command will be available in the headless JDK RPM instead of the headful JDK RPM.
It will be added to the java alternatives group instead of the javac alternatives group.
A new system and security property, com.sun.security.allowedAIALocations, has been introduced. This property allows users the ability to define one or more filtering rules to be applied to URIs obtained from the authority info access extension on X.509 certificates. These filter rules are applied specifically to the CA issuers access method. Any CA issuers URIs in X.509 certificates are only followed when the com.sun.security.enableAIAcaIssuers system property is enabled and the filter allows the URI.
In order to set the rules, the user must set either the com.sun.security.allowedAIALocations security property or the system property by the same name. If the system property has a value, it will override the security property. By default the property is blank, which enacts a deny-all ruleset.
For either property, the value consists of a set of space-separated rules that take the form of a URI, with the following constraints:
- The URI must be absolute and hierarchical.
- The URI must only use one of the following schemes: http, https, ldap, or ftp (case-insensitive).
- A hostname or address must be specified and must match (case-insensitive). No name resolution is performed on hostnames to match URIs with IP addresses.
- The port number must match. Where a port number is omitted, the well-known port will be used in the comparison.
- For hierarchical schemes (http[s], ftp):
- A rule's normalized path portion of the URI is matched in a case-sensitive manner. If the final component does not end in a slash (/), it is considered to be a file path and must match the CA issuer URI path component. If the rule's path component ends in a slash, then it must match or be a prefix of the CA issuer URI path component. (for example, a filter path of
/ab/cd/will match a CA issuer path of/ab/cd/,/ab/cd/efand/ab/cd/ef/ghi.). - Query strings and fragments will be ignored when matching CA issuer URIs.
- A rule's normalized path portion of the URI is matched in a case-sensitive manner. If the final component does not end in a slash (/), it is considered to be a file path and must match the CA issuer URI path component. If the rule's path component ends in a slash, then it must match or be a prefix of the CA issuer URI path component. (for example, a filter path of
- For ldap URIs:
- The base DN must be an exact match (case-insensitive).
- Any query string in the rule, if specified, will be ignored.
For the properties, a single value of "any" (case-insensitive) will create an allow-all rule.
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 25.0.2:| # | JBS | Component/Subcomponent | Summary |
|---|---|---|---|
| 1 | JDK-8366208 | client-libs/2d | Unexpected exception in sun.java2d.cmm.lcms.LCMSImageLayout |
| 2 | JDK-8367384 | client-libs/2d | The ICC_Profile class may throw exceptions during serialization |
| 3 | JDK-8361748 | client-libs/2d | Enforce limits on the size of an XBM image |
| 4 | JDK-8354646 | client-libs/java.awt | java.awt.TextField allows to identify the spaces in a password when double clicked at the starting and end of the text |
| 5 | JDK-8358532 | client-libs/javax.swing | JFileChooser in GTK L&F still displays HTML filename |
| 6 | JDK-8349188 | client-libs/javax.swing | LineBorder does not scale correctly |
| 7 | JDK-8358813 | client-libs/javax.swing | JPasswordField identifies spaces in password via delete shortcuts |
| 8 | JDK-8370465 | client-libs/javax.swing | Right to Left Orientation Issues with MenuItem Component |
| 9 | JDK-8365086 | core-libs/java.net | CookieStore.getURIs() and get(URI) should return an immutable List |
| 10 | JDK-8357959 | core-libs/java.nio | (bf) ByteBuffer.allocateDirect initialization can result in large TTSP spikes |
| 11 | JDK-8369656 | core-libs/java.util.concurrent | Calling CompletableFuture.join() could execute task in common pool |
| 12 | JDK-8369184 | core-libs/java.util:i18n | SimpleTimeZone equals() Returns True for Unequal Instances with Different hashCode Values |
| 13 | JDK-8364296 | hotspot/compiler | Set IntelJccErratumMitigation flag ergonomically |
| 14 | JDK-8365265 | hotspot/compiler | x86 short forward jump exceeds 8-bit offset in methodHandles_x86.cpp when using Intel APX |
| 15 | JDK-8360867 | hotspot/compiler | CTW: Disable inline cache verification |
| 16 | JDK-8357396 | hotspot/compiler | Refactor nmethod::make_not_entrant to use Enum instead of "const char*" |
| 17 | JDK-8361180 | hotspot/compiler | Disable CompiledDirectCall verification with -VerifyInlineCaches |
| 18 | JDK-8365468 | hotspot/compiler | EagerJVMCI should only apply to the CompilerBroker JVMCI runtime |
| 19 | JDK-8367333 | hotspot/compiler | C2: Vector math operation intrinsification failure |
| 20 | JDK-8362530 | hotspot/compiler | VM crash with -XX:+PrintTieredEvents when collecting AOT profiling |
| 21 | JDK-8367780 | hotspot/compiler | Enable UseAPX on Intel CPUs only when both APX_F and APX_NCI_NDD_NF cpuid features are present |
| 22 | JDK-8361211 | hotspot/compiler | C2: Final graph reshaping generates unencodeable klass constants |
| 23 | JDK-8368071 | hotspot/compiler | Compilation throughput regressed 2X-8X after JDK-8355003 |
| 24 | JDK-8370318 | hotspot/compiler | AES-GCM vector intrinsic may read out of bounds (x86_64, AVX-512) |
| 25 | JDK-8361892 | hotspot/compiler | AArch64: Incorrect matching rule leading to improper oop instruction encoding |
| 26 | JDK-8358751 | hotspot/compiler | C2: Recursive inlining check for compiled lambda forms is broken |
| 27 | JDK-8359104 | hotspot/gc | gc/TestAlwaysPreTouchBehavior.java#<gcname> fails on Linux |
| 28 | JDK-8350621 | hotspot/gc | Code cache stops scheduling GC |
| 29 | JDK-8367948 | hotspot/jfr | JFR: MethodTrace threshold setting has no effect |
| 30 | JDK-8364257 | hotspot/jfr | JFR: User-defined events and settings with a one-letter name cannot be configured |
| 31 | JDK-8364993 | hotspot/jfr | JFR: Disable jdk.ModuleExport in default.jfc |
| 32 | JDK-8364556 | hotspot/jfr | JFR: Disable SymbolTableStatistics and StringTableStatistics in default.jfc |
| 33 | JDK-8364190 | hotspot/jfr | JFR: RemoteRecordingStream withers don't work |
| 34 | JDK-8368670 | hotspot/jfr | Deadlock in JFR on event register + class load |
| 35 | JDK-8365165 | hotspot/runtime | Zap C-heap memory at delete/free |
| 36 | JDK-8359423 | hotspot/runtime | Improve error message in case of missing jsa shared archive |
| 37 | JDK-8365823 | hotspot/runtime | Revert storing abstract and interface Klasses to non-class metaspace |
| 38 | JDK-8356324 | hotspot/runtime | JVM crash (SIGSEGV at ClassListParser::resolve_indy_impl) during -Xshare:dump starting from 21.0.5 |
| 39 | JDK-8343218 | hotspot/runtime | Add option to disable allocating interface and abstract classes in non-class metaspace |
| 40 | JDK-8363928 | hotspot/runtime | Specifying AOTCacheOutput with a blank path causes the JVM to crash |
| 41 | JDK-8364198 | hotspot/runtime | NMT should have a better corruption message |
| 42 | JDK-8364199 | hotspot/runtime | Enhance list of environment variables printed in hserr/hsinfo file |
| 43 | JDK-8364235 | hotspot/runtime | Fix for JDK-8361447 breaks the alignment requirements for GuardedMemory |
| 44 | JDK-8369506 | hotspot/runtime | Bytecode rewriting causes Java heap corruption on AArch64 |
| 45 | JDK-8369190 | hotspot/runtime | JavaFrameAnchor on AArch64 has unnecessary barriers and wrong store order in MacroAssembler |
| 46 | JDK-8364660 | hotspot/runtime | ClassVerifier::ends_in_athrow() should be removed |
| 47 | JDK-8367689 | hotspot/svc-agent | Revert removal of several compilation-related vmStructs fields |
| 48 | JDK-8358723 | tools/jpackage | jpackage signing issues: the main launcher doesn't have entitlements |
| 49 | JDK-8371094 | tools/jpackage | --mac-signing-key-user-name no longer works |
| 50 | JDK-8365790 | tools/jpackage | Shutdown hook for application image does not work on Windows |
| 51 | JDK-8372753 | tools/jpackage | jpackage ignores --file-associations option with predefined app image |