JDK 25.0.3 Release Notes
Java SE 25.0.3 - Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 25.0.3 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Changes in Java SE 25.0.3.0.1
Bug Fixes
Release date: April 21, 2026
Fixes from the prior BPR are included in this version.
Java™ SE Development Kit 25, Update 25.0.3 (JDK 25.0.3)
Release date: April 21, 2026
The full version string for this update release is 25.0.3+9 (where "+" means "build"). The version number is 25.0.3. This JDK conforms to version 25 of the Java SE Specification (JSR 400 2025-09-16).
IANA TZ Data 2026a
JDK 25.0.3 contains IANA time zone data 2026a which contains the following changes:
- Several code changes for compatibility with FreeBSD.
- The only changed data are leap second table expiration and pre-1976 time in Baja California.
- Moldova has used EU transition times since 2022.
- The "right" TZif files are no longer installed by default.
- -DTZ_RUNTIME_LEAPS=0 disables runtime support for leap seconds.
- TZif files are no longer limited to 50 bytes of abbreviations.
- zic is no longer limited to 50 leap seconds.
- Several integer overflow bugs have been fixed.
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 25.0.3 are specified in the following table:
| JRE Family Version | JRE Security Baseline (Full Version String) |
|---|---|
| 25 | 25.0.3+9 |
| 21 | 21.0.11+9 |
| 17 | 17.0.19+9 |
| 11 | 11.0.31+9 |
| 8 | 1.8.0_491-b10 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 25.0.3) be used after the next critical patch update scheduled for July 21, 2026.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
New Features
The keytool command reads passwords from the system console to prevent them from being displayed on the screen. However, the console is usually available only when both the standard input and output streams are not redirected. Previously, if the standard output stream was redirected into a file or another command, the console was unavailable and the input password was echoed on the screen. This enhancement improves password handling to ensure that the password is not displayed on the screen even if the standard output stream is redirected. This enhancement has also been made to the jarsigner command and the JAAS TextCallbackHandler API.
The G1 garbage collector now throws an OutOfMemoryException (OOME) when the garbage collection overhead is more than GCTimeLimit percent (default value 98) and the free Java heap is less than GCHeapFreeLimit percent (default value 2) for five consecutive garbage collections.
This feature is enabled by default. It can be disabled using the -XX:-UseGCOverheadLimit option.
The implementation mirrors the functionality already provided by the Parallel garbage collector. However there may be differences in the exact conditions for the OOME triggers as G1 calculates garbage collection overhead and free Java heap slightly differently.
The <java-home>/lib/src.zip file distributed with the Oracle JDK now contains sources for JCE, JGSS, and JSSE. Debugging tools can now examine or display most of the security source files.
A new security property named jdk.crypto.disabledAlgorithms has been introduced to disable algorithms for JCE/JCA cryptographic services. Initially, this property only supports the Cipher, KeyStore, MessageDigest, and Signature services. This property is defined in the java.security file and initially no algorithms are disabled by default. However, this may change in the future. This security property can be overridden by a system property of the same name if applications need to re-enable algorithms.
See Disabled and Restricted Cryptographic Algorithms for more information.
Known Issues
A full SuSE Enterprise Linux Server, SLES for short, version 16 desktop installation does not include a package, xdg-desktop-portal-gnome, which is needed for full operation of the JDK desktop applications. This applies to all Oracle JDK versions.
Users should install this package, using standard SLES package repository commands, such as by running:
% sudo zypper install xdg-desktop-portal-gnome
% sudo reboot now
Other Notes
The JDK will stop trusting TLS server certificates issued after March 17, 2026 and anchored by Chunghwa root certificates, in line with similar plans announced by Google and Mozilla.
TLS server certificates issued on or before March 17, 2026 will continue to be trusted until they expire. Certificates issued after that date, and anchored by the Certificate Authority listed in the table below, will be rejected.
The restrictions are enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after March 17, 2026.
An application will receive an exception with a message indicating the trust anchor is not trusted, for example:
"TLS Server certificate issued after 2026-03-17 and anchored by a distrusted legacy Chunghwa root CA: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd." C=TW"
The JDK can be configured to trust these certificates again by removing "CHUNGHWA_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.
The restrictions are imposed on the following Chunghwa Root certificates included in the JDK:
| Distinguished Name | SHA-256 Fingerprint |
|---|---|
| OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW | C0:A6:F4:DC:63:A2:4B:FD:CF:54:EF:2A:6A:08:2A:0A:72:DE:35:80:3E:2F:F5:FF:52:7A:E5:D8:72:06:DF:D5 |
You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.
Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 25.0.3:| # | JBS | Component/Subcomponent | Summary |
|---|---|---|---|
| 1 | JDK-8373727 | client-libs/2d | New XBM images parser regression: only the first line of the bitmap array is parsed |
| 2 | JDK-8373290 | client-libs/2d | Update FreeType to 2.14.1 |
| 3 | JDK-8379158 | client-libs/2d | Update FreeType to 2.14.2 |
| 4 | JDK-8372756 | client-libs/java.awt | Mouse additional buttons and horizontal scrolling are broken on XWayland GNOME >= 47 after JDK-8351907 |
| 5 | JDK-8372534 | client-libs/java.awt | Update Libpng to 1.6.51 |
| 6 | JDK-8372048 | client-libs/java.awt | Performance improvement on Linux remote desktop |
| 7 | JDK-8375063 | client-libs/java.awt | Update Libpng to 1.6.54 |
| 8 | JDK-8372977 | client-libs/java.awt | Unnecessary gthread-2.0 loading |
| 9 | JDK-8373946 | client-libs/javax.swing | Synth ProgressBarUI implementation confuses background painting with border painting |
| 10 | JDK-8366261 | core-libs/java.io | Provide utility methods for sun.security.util.Password |
| 11 | JDK-8369227 | core-libs/java.lang | Virtual thread stuck in PARKED state |
| 12 | JDK-8372835 | core-libs/java.util.concurrent | WorkQueue::push is missing an acquire-fence |
| 13 | JDK-8372704 | core-svc/java.lang.management | ThreadMXBean.getThreadUserTime may return total time |
| 14 | JDK-8373525 | hotspot/compiler | C2: assert(_base == Long) failed: Not a Long |
| 15 | JDK-8370325 | hotspot/gc | G1: Disallow GC for TLAB allocation |
| 16 | JDK-8369255 | hotspot/jfr | Assess and remedy any unsafe usage of the Semaphores used by JFR |
| 17 | JDK-8369991 | hotspot/jfr | Thread blocking during JFR emergency dump must be in safepoint safe state |
| 18 | JDK-8365972 | hotspot/jfr | JFR: ThreadDump and ClassLoaderStatistics events may cause back to back rotations |
| 19 | JDK-8371014 | hotspot/jfr | Dump JFR recording on CrashOnOutOfMemoryError is incorrectly implemented |
| 20 | JDK-8371944 | hotspot/runtime | AOT configuration is corrupted when app closes System.out |
| 21 | JDK-8368551 | hotspot/runtime | Core dump warning may be confusing |
| 22 | JDK-8356868 | hotspot/runtime | Not all cgroup parameters are made available |
| 23 | JDK-8365526 | hotspot/runtime | Crash with null Symbol passed to SystemDictionary::resolve_or_null |
| 24 | JDK-8375549 | security-libs/java.security | ConcurrentModificationException if jdk.crypto.disabledAlgorithms has multiple entries with known oid |
| 25 | JDK-8374555 | security-libs/java.security | No need for visible input warning in s.s.u.Password when not reading from System.in |
| 26 | JDK-8358801 | tools/javac | javac produces class that does not pass verifier. |
| 27 | JDK-8336695 | xml/jaxp | Update Commons BCEL to Version 6.10.0 |