RELEASE NOTES FOR: 21.0.11
====================================================================================================
Notes generated: Fri Apr 17 06:16:40 CEST 2026
Hint: Prefix bug IDs with https://bugs.openjdk.org/browse/ to reach the relevant JIRA entry.
JAVA ENHANCEMENT PROPOSALS (JEP):
None.
RELEASE NOTES:
security-libs/javax.net.ssl:
JDK-8328608: Configurable New Session Tickets Count for TLSv1.3
A new system property, `jdk.tls.server.newSessionTicketCount`, sets the number of TLSv1.3
resumption tickets sent by a JSSE server per session. It can be set on the command line with
`-Djdk.tls.server.newSessionTicketCount=#`, where `#` ranges from 0 to 10. The default is 1.
For more details, see [Customizing
JSSE](https://docs.oracle.com/en/java/javase/24/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9).
JDK-8369282: Distrust TLS Server Certificates Anchored by Chunghwa Root Certificates and Issued After March 17, 2026
The JDK will stop trusting TLS server certificates issued after March 17, 2026 and anchored by
Chunghwa root certificates, in line with similar plans announced by Google and Mozilla.
TLS server certificates issued on or before March 17, 2026 will continue to be trusted until
they expire. Certificates issued after that date, and anchored by the Certificate Authority
listed in the table below, will be rejected.
The restrictions are enforced in the JDK implementation (the `SunJSSE` Provider) of the Java
Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's
certificate chain is anchored by any of the Certificate Authorities in the table below and the
certificate has been issued after March 17, 2026.
An application will receive an exception with a message indicating the trust anchor is not
trusted, for example:
``` "TLS Server certificate issued after 2026-03-17 and anchored by a distrusted legacy
Chunghwa root CA: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd." C=TW"
```
The JDK can be configured to trust these certificates again by removing "CHUNGHWA_TLS" from
the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration
file.
The restrictions are imposed on the following Chunghwa Root certificates included in the JDK:
You can also use the `keytool` utility from the JDK to print out details of the certificate
chain, as follows:
keytool -v -list -alias -keystore
If any of the certificates in the chain are issued by one of the root CAs in the table above
are listed in the output you will need to update the certificate or contact the organization
that manages the server.
hotspot/jfr:
JDK-8365972: JFR: ThreadDump and ClassLoaderStatistics events may cause back to back rotations
The jdk.ThreadDump event is currently written when a chunk begins and ends (everyChunk), but
when it is written at the beginning, it may trigger another rotation within 1 second. This can
cause other relevant data to be flushed out very quickly, e.g. 15 seconds if using the default
max size of 250 MB.
Reproducer:
$ java Reproducer 1400 300 20
import java.util.concurrent.Semaphore; import jdk.jfr.Configuration; import jdk.jfr.Recording;
public class Reproducer { public static void main(String[] args) throws Exception {
int threadCount = Integer.parseInt(args[0]); int stackDepth =
Integer.parseInt(args[1]); int sleepTime = Integer.parseInt(args[2]);
Semaphore semaphore = new Semaphore(0); for (int i = 0; i < threadCount; i++) {
Thread t = new Thread(() -> stack(stackDepth, semaphore)); t.setDaemon(true);
t.start(); } semaphore.acquire(threadCount); Configuration c =
Configuration.getConfiguration("default"); try (Recording r = new Recording(c)) {
r.start(); Thread.sleep(sleepTime * 1000); } }
static void stack(int depth, Semaphore semaphore) { if (depth > 0) {
stack(depth - 1, semaphore); } if (depth == 0) {
semaphore.release(); try { Thread.sleep(Long.MAX_VALUE);
} catch (InterruptedException ignored) {} } } }
Short-term, we could change the implementation so that jdk.ThreadDump and
jdk.ClassLoaderStatistics are only emitted when a recording starts and a chunk ends. Such a
change may be suitable for backporting.
Longer-term, we might want to address this in a more generic way so that it cannot occur with
other events as well, including user-defined ones. Three alternatives:
1) Redefine "everyChunk" so that it only emits when a recording starts and when a chunk ends.
2) Create a new keyword, e.g. "rotation", with the same semantics as option 1, but keep
"everyChunk" as is. 3) Broaden the setting so it can accept a combination of recording- or
chunk-specific settings.
Regardless of approach, the new semantics must support cases where two recordings are in use
at the same time with different settings.
JDK-8365972: Reduced frequency of JFR events jdk.ThreadDump and jdk.ClassLoaderStatistics
In applications with many threads (typically more than 1,000) and deep Java stacks (typically
more than 300 frames), the `jdk.ThreadDump` event can become large enough to trigger a
recording file rotation by itself. This can cause other events to be removed earlier than
expected by the retention policy. A similar issue occurs for the `jdk.ClassLoaderStatistics`
event in applications that use several hundred thousand class loaders.
To avoid back-to-back rotations in the default configuration (`default.jfc`), the
`jdk.ThreadDump` and `jdk.ClassLoaderStatistics` events are now written only when a recording
starts and at the end of a file rotation. They are no longer written at the beginning of a new
file created by rotation.
security-libs/java.security:
JDK-8244336: New Security Property jdk.crypto.disabledAlgorithms for Restricting Algorithms at the JCE layer
A new security property named `jdk.crypto.disabledAlgorithms` has been introduced to disable
algorithms for JCE/JCA cryptographic services. Initially, this property only supports the
_Cipher_, _KeyStore_, _MessageDigest_, and _Signature_ services. This property is defined in
the `java.security` file and initially no algorithms are disabled by default. However, this
may change in the future. This security property can be overridden by a system property of the
same name if applications need to re-enable algorithms.
See [Disabled and Restricted Cryptographic
Algorithms](https://docs.oracle.com/en/java/javase/26/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-0A438179-32A7-4900-A81C-29E3073E1E90)
for more information.
JDK-8354469: Enhanced keytool Password Handling When Output Is Redirected
The [keytool] command reads passwords from the system console to prevent them from being
displayed on the screen. However, the console is usually available only when both the standard
input and output streams are not redirected. Previously, if the standard output stream was
redirected into a file or another command, the console was unavailable and the input password
was echoed on the screen. This enhancement improves password handling to ensure that the
password is not displayed on the screen even if the standard output stream is redirected. This
enhancement has also been made to the [jarsigner] command and the JAAS [TextCallbackHandler]
API.
ALL FIXED ISSUES, BY COMPONENT AND PRIORITY:
client-libs:
(P4) JDK-8376270: [21u, 17u] Redo JDK-8361748: Enforce limits on the size of an XBM image
(P4) JDK-8367772: Refactor createUI in PassFailJFrame
client-libs/2d:
(P3) JDK-8373727: New XBM images parser regression: only the first line of the bitmap array is parsed
(P3) JDK-8373290: Update FreeType to 2.14.1
(P3) JDK-8379158: Update FreeType to 2.14.2
(P3) JDK-8375057: Update HarfBuzz to 12.3.2
(P4) JDK-8363950: Incorrect jtreg header in TestLayoutVsICU.java
(P4) JDK-8368882: NPE during text drawing on machine with JP locale
(P4) JDK-8369911: Test sun/java2d/marlin/ClipShapeTest.java#CubicDoDash, #Cubic and #Poly fail intermittent
client-libs/java.awt:
(P3) JDK-6899304: java.awt.Toolkit.getScreenInsets(GraphicsConfiguration) returns incorrect values
(P3) JDK-8372756: Mouse additional buttons and horizontal scrolling are broken on XWayland GNOME >= 47 after JDK-8351907
(P3) JDK-8372977: Unnecessary gthread-2.0 loading
(P3) JDK-8379256: Update GIFlib to 6.1.1
(P3) JDK-8380078: Update GIFlib to 6.1.2
(P3) JDK-8375063: Update Libpng to 1.6.54
(P3) JDK-8377526: Update Libpng to 1.6.55
(P3) JDK-8380959: Update Libpng to 1.6.56
(P4) JDK-8376251: [macos] java/awt/Frame/I18NTitle.java fails on MacOS (JDK-8355884)
(P4) JDK-8349351: Combine Screen Inset Tests into a Single File
(P4) JDK-8339271: giflib attribution correction
(P4) JDK-8256289: java/awt/Focus/AppletInitialFocusTest/AppletInitialFocusTest1.java failed with "RuntimeException: Wrong focus owner: java.awt.Button[button1,41,36,56x23,label=Button1]"
(P4) JDK-8372048: Performance improvement on Linux remote desktop
(P4) JDK-8339791: Refactor MiscUndecorated/ActiveAWTWindowTest.java
(P4) JDK-8361067: Test ExtraButtonDrag.java requires frame.dispose in finally block
client-libs/javax.swing:
(P3) JDK-8298153: Colored text is not shown on disabled checkbox and radio button with GTK LAF for bug4314194
(P3) JDK-8316274: javax/swing/ButtonGroup/TestButtonGroupFocusTraversal.java fails in Ubuntu 23.10 with Motif LAF
(P3) JDK-8075917: The regression-swing case failed as the text on label is not painted red with the GTK L&F
(P4) JDK-8353755: Add a helper method to Util - findComponent()
(P4) JDK-8354219: Automate javax/swing/JComboBox/ComboPopupBug.java
(P4) JDK-8347475: GTK: javax/swing/JColorChooser/Test8152419.java there are no swatches or RGB tab in JColorChooser
(P4) JDK-8335646: Nimbus : JLabel not painted with LAF defined foreground color on Ubuntu 24.04
(P4) JDK-8361530: Test javax/swing/GraphicsConfigNotifier/StalePreferredSize.java timed out
core-libs/java.io:
(P4) JDK-8366261: Provide utility methods for sun.security.util.Password
core-libs/java.lang:
(P3) JDK-8355632: WhiteBox.waitForReferenceProcessing() fails assert for return type
(P4) JDK-8356107: [java.lang] Use @requires tag instead of exiting based on os.name or separatorChar property
(P4) JDK-8368683: [process] Increase jtreg debug output maxOutputSize for TreeTest
(P4) JDK-8369858: Remove darcy author tags from jdk tests
(P4) JDK-8351000: StringBuilder getChar and putChar robustness
(P4) JDK-8361613: System.console() should only be available for interactive terminal
(P4) JDK-8372710: Update ProcessBuilder/Basic regex
core-libs/java.lang:reflect:
(P3) JDK-8343377: Performance regression in reflective invocation of native methods
core-libs/java.net:
(P4) JDK-8317801: java/net/Socket/asyncClose/Race.java fails intermittently (aix)
core-libs/java.nio:
(P4) JDK-8351458: (ch) Move preClose to UnixDispatcher
(P4) JDK-8114830: (fs) Files.copy fails due to interference from something else changing the file system
(P4) JDK-8314810: (fs) java/nio/file/Files/CopyInterference.java should use TestUtil::supportsLinks
(P4) JDK-8326897: (fs) The utility TestUtil.supportsLinks is wrongly used to check for hard link support
(P4) JDK-8355445: [java.nio] Use @requires tag instead of exiting based on "os.name" property value
(P4) JDK-8317838: java/nio/channels/Channels/SocketChannelStreams.java running into timeout (aix)
(P4) JDK-8364764: java/nio/channels/vthread/BlockingChannelOps.java subtests timed out
(P4) JDK-8366128: jdk/jdk/nio/zipfs/TestPosix.java::testJarFile uses wrong file
core-libs/java.rmi:
(P4) JDK-8372857: Improve debuggability of java/rmi/server/RemoteServer/AddrInUse.java test
(P4) JDK-8366866: SslRMIClientSocketFactory#createSocket lacking priviledges (securitymanger)
core-libs/java.text:
(P4) JDK-8317633: Modernize text.testlib.HexDumpReader
core-libs/java.time:
(P3) JDK-8373476: (tz) Update Timezone Data to 2025c
(P3) JDK-8379035: (tz) Update Timezone Data to 2026a
(P3) JDK-8345668: ZoneOffset.ofTotalSeconds performance regression
core-libs/java.util:
(P3) JDK-8301875: java.util.TimeZone.getSystemTimeZoneID uses C library default file mode
core-libs/java.util.jar:
(P1) JDK-8378823: AIX build fails after zlib updated by JDK-8378631
(P4) JDK-8378631: Update Zlib Data Compression Library to Version 1.3.2
core-libs/java.util:i18n:
(P4) JDK-8374433: java/util/Locale/PreserveTagCase.java does not run any tests
core-libs/javax.naming:
(P4) JDK-8287062: com/sun/jndi/ldap/LdapPoolTimeoutTest.java failed due to different timeout message
(P4) JDK-8355278: Improve debuggability of com/sun/jndi/ldap/LdapPoolTimeoutTest.java test
(P5) JDK-8375999: com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails sporadically on Windows
core-svc:
(P4) JDK-8342449: reimplement: JDK-8327114 Attach in Linux may have wrong behavior when pid == ns_pid
(P4) JDK-8358077: sun.tools.attach.VirtualMachineImpl::checkCatchesAndSendQuitTo on Linux leaks file handles after JDK-8327114
core-svc/debugger:
(P4) JDK-8370636: com/sun/jdi/TwoThreadsTest.java should wait for completion of all threads
(P4) JDK-8366850: Test com/sun/jdi/JdbStopInNotificationThreadTest.java failed
(P4) JDK-8366694: Test JdbStopInNotificationThreadTest.java timed out after 60 second
core-svc/java.lang.management:
(P4) JDK-8030957: AIX: Implement OperatingSystemMXBean.getSystemCpuLoad() and .getProcessCpuLoad() on AIX
core-svc/tools:
(P3) JDK-8341246: Test com/sun/tools/attach/PermissionTest.java fails access denied after JDK-8327114
(P4) JDK-8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container)
(P4) JDK-8341310: Test TestJcmdWithSideCar.java should skip ACCESS_TMP_VIA_PROC_ROOT (after JDK-8327114)
hotspot/compiler:
(P2) JDK-8358751: C2: Recursive inlining check for compiled lambda forms is broken
(P3) JDK-8373525: C2: assert(_base == Long) failed: Not a Long
(P4) JDK-8368787: Error reporting: hs_err files should show instructions when referencing code in nmethods
(P4) JDK-8357380: java/lang/StringBuilder/RacingSBThreads.java times out with C1
(P4) JDK-8337102: JITTester: Fix breaks in static initialization blocks
(P4) JDK-8371608: Jtreg test jdk/internal/vm/Continuation/Fuzz.java sometimes fails with (fast)debug binaries
(P4) JDK-8370579: PPC: fix inswri immediate argument order
(P4) JDK-8330016: Stress seed should be initialized for runtime stub compilation
(P4) JDK-8367135: Test compiler/loopstripmining/CheckLoopStripMining.java needs internal timeouts adjusted
hotspot/gc:
(P4) JDK-8372348: Adjust some UL / JFR string deduplication output messages
(P4) JDK-8370325: G1: Disallow GC for TLAB allocation
(P4) JDK-8354145: G1: UseCompressedOops boundary is calculated on maximum heap region size instead of maxiumum ergonomic heap region size
(P4) JDK-8354559: gc/g1/TestAllocationFailure.java doesn't need WB API
(P4) JDK-8342175: MemoryEaterMT fails intermittently with ExceptionInInitializerError
(P4) JDK-8333386: TestAbortOnVMOperationTimeout test fails for client VM
(P4) JDK-8354922: ZGC: Use MAP_FIXED_NOREPLACE when reserving memory
hotspot/jfr:
(P3) JDK-8371889: [21u] JFR: Deadlock in ThrowableTracer
(P3) JDK-8365972: JFR: ThreadDump and ClassLoaderStatistics events may cause back to back rotations
(P3) JDK-8372321: TestBackToBackSensitive fails intermittently after JDK-8365972
(P4) JDK-8372441: JFR: Improve logging of TestBackToBackSensitive
hotspot/jvmti:
(P3) JDK-8371103: vmTestbase/nsk/jvmti/scenarios/events/EM02/em02t006/TestDescription.java failing
hotspot/runtime:
(P2) JDK-8366938: Test runtime/handshake/HandshakeTimeoutTest.java crashed
(P3) JDK-8335906: [s390x] Test Failure: GTestWrapper.java
(P3) JDK-8365526: Crash with null Symbol passed to SystemDictionary::resolve_or_null
(P3) JDK-8354878: File Leak in CgroupSubsystemFactory::determine_type of cgroupSubsystem_linux.cpp:300
(P3) JDK-8375530: PPC64: incorrect quick verify_method_data_pointer check causes poor performance in debug build
(P3) JDK-8372988: Test runtime/Nestmates/membership/TestNestHostErrorWithMultiThread.java failed: Unexpected interrupt
(P4) JDK-8313319: [linux] mmap should use MAP_FIXED_NOREPLACE if available
(P4) JDK-8370572: Cgroups hierarchical memory limit is not honored after JDK-8322420
(P4) JDK-8370966: Create regression test for the hierarchical memory limit fix in JDK-8370572
(P4) JDK-8374178: Missing include in systemDictionary.cpp after JDK-8365526
(P4) JDK-8354057: Odd debug output in -Xlog:os+container=debug on certain systems
(P4) JDK-8334738: os::print_hex_dump should optionally print ASCII
(P4) JDK-8374056: RISC-V: Fix argument passing for the RiscvFlushIcache::flush
(P4) JDK-8362834: Several runtime/Thread tests should mark as /native
(P4) JDK-8350103: Test containers/systemd/SystemdMemoryAwarenessTest.java fails on Linux ppc64le SLES15 SP6
(P4) JDK-8359827: Test runtime/Thread/ThreadCountLimit.java need loop increasing the limit
(P4) JDK-8318302: ThreadCountLimit.java failed with "Native memory allocation (mprotect) failed to protect 16384 bytes for memory to guard stack pages"
hotspot/test:
(P4) JDK-8346048: test/lib/containers/docker/DockerRunOptions.java uses addJavaOpts() from ctor
infrastructure:
(P4) JDK-8372464: Bump update version for OpenJDK: jdk-21.0.11
infrastructure/build:
(P3) JDK-8374642: EscapeHash macro fails with GNU make 4.3 and 4.4
(P3) JDK-8331431: Update to use jtreg 7.4
(P3) JDK-8339238: Update to use jtreg 7.5.1
(P3) JDK-8357141: Update to use jtreg 7.5.2
(P4) JDK-8314555: Build with mawk fails on Windows
(P4) JDK-8378218: MSYS2 reports cygwin triplet causing bash configure failure
infrastructure/licensing:
(P4) JDK-8377905: gcc.md included with every build
security-libs/java.security:
(P2) JDK-8375549: ConcurrentModificationException if jdk.crypto.disabledAlgorithms has multiple entries with known oid
(P3) JDK-8354469: Keytool exposes the password in plain text when command is piped using | grep
(P3) JDK-8374555: No need for visible input warning in s.s.u.Password when not reading from System.in
(P3) JDK-8244336: Restrict algorithms at JCE layer
(P4) JDK-8378853: [25u] Make backport of JDK-8244336 comply with differences in CSR
(P4) JDK-8346962: Test CRLReadTimeout.java fails with -Xcomp on a fastdebug build
security-libs/javax.crypto:
(P4) JDK-8358159: Empty mode/padding in cipher transformations
(P4) JDK-8359388: Stricter checking for cipher transformations
security-libs/javax.net.ssl:
(P2) JDK-8328608: Multiple NewSessionTicket support for TLS
(P3) JDK-8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA
(P3) JDK-8371559: Intermittent timeouts in test javax/net/ssl/Stapling/HttpsUrlConnClient.java
(P3) JDK-8334670: SSLSocketOutputRecord buffer miscalculation
(P4) JDK-8360539: DTLS handshakes fails due to improper cookie validation logic
(P4) JDK-8348309: MultiNST tests need more debugging and timing
(P4) JDK-8333857: Test sun/security/ssl/SSLSessionImpl/ResumeChecksServer.java failed: Existing session was used
(P4) JDK-8366817: test/jdk/javax/net/ssl/TLSCommon/interop/JdkProcServer.java and JdkProcClient.java should not delete logs
(P4) JDK-8357277: Update OpenSSL library for interop tests
security-libs/javax.security:
(P2) JDK-8367583: sun/security/util/AlgorithmConstraints/InvalidCryptoDisabledAlgos.java fails after JDK-8244336
security-libs/org.ietf.jgss:krb5:
(P3) JDK-8345578: New test in JDK-8343622 fails with a promoted build
(P4) JDK-8343622: AesDkCrypto.stringToKey should not return null
tools/jar:
(P4) JDK-8371978: tools/jar/ReproducibleJar.java fails on XFS
tools/jshell:
(P4) JDK-8351639: Improve debuggability of test/langtools/jdk/jshell/JdiHangingListenExecutionControlTest.java test
xml/jaxp:
(P4) JDK-8336695: Update Commons BCEL to Version 6.10.0