JDK 21.0.8 Release Notes
Java SE 21.0.8 Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 21.0.8 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
Changes in Java SE 21.0.8.0.2
Bug Fixes
Release date: July 25, 2025| BugId | Category | Subcategory | Summary |
|---|---|---|---|
| JDK-8358764 | core-libs | java.nio | (sc) SocketChannel.close when thread blocked in read causes connection to be reset (win) |
Changes in Java SE 21.0.8.0.1
Bug Fixes
Release date: July 15, 2025| BugId | Category | Subcategory | Summary |
|---|---|---|---|
| JDK-8355072 (not public) | install | install | [OL9] java on systemd environments: /etc/rc.d/init.d/jexec' lacks a native systemd unit file |
Java™ SE Development Kit 21.0.8 (JDK 21.0.8)
July 15, 2025
The full version string for this update release is 21.0.8+12 (where "+" means "build"). The version number is 21.0.8. This JDK conforms to version 21 of the Java SE Specification (JSR 396 2023-09-19).
IANA TZ Data 2025b
JDK 21.0.8 contains IANA time zone data 2025b which contains the following changes:
- New zone for Aysén Region in Chile which moves from -04/-03 to -03.
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 21.0.8 are specified in the following table:
| Java Family Version | Security Baseline (Full Version String) |
|---|---|
| 21 | 21.0.8+12 |
| 17 | 17.0.16+12 |
| 11 | 11.0.28+12 |
| 8 | 1.8.0_461-b11 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 21.0.8) be used after the next critical patch update scheduled for October 21, 2025.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
Removed Features and Options
The following expired root certificate has been removed from the cacerts keystore:
+ alias name "baltimorecybertrustca [jdk]"
Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
The following root certificates, which are terminated and no longer in use, have been removed from the cacerts keystore:
+ alias name "camerfirmachamberscommerceca [jdk]"
Distinguished Name: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
+ alias name "camerfirmachambersignca [jdk]"
Distinguished Name: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Other Notes
The following root certificates have been added to the cacerts truststore:
+ Sectigo Limited
+ sectigocodesignroote46
DN: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB
+ Sectigo Limited
+ sectigocodesignrootr46
DN: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB
+ Sectigo Limited
+ sectigotlsroote46
DN: CN=Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB
+ Sectigo Limited
+ sectigotlsrootr46
DN: CN=Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB
The oracle.com JDK RPM packages meant to be downloaded directly to the target system, now are signed with the OL9 signing key instead of the OL8 signing key. The RPM packages hosted on YUM repositories remain signed with the appropriate key for the target repository.
The java.net.http.HttpClient will now report HTTP/2 flow control errors to the server when they are detected. This is an implementation detail that should be transparent to users of the HttpClient API, but could result in streams being reset or connections being closed if connecting to a non-conformant HTTP/2 server.
The X.509 encoded format for HSS/LMS public keys has been updated to align with the latest standard outlined in RFC 9708. Notably, the additional OCTET STRING wrapping around the public key value has been removed. For compatibility, public key encodings generated by earlier JDK releases are still recognized.
In JDK 21, an enhanced syntax for various timeout properties was released through JDK-8179502. This included a new system property, com.sun.security.ocsp.readtimeout, which allows users to control the timeout while reading OCSP responses after a successful TCP connection has been established.
This changes the default posture of this property to be the value of the com.sun.security.ocsp.timeout system property from its original default of 15 seconds. If the com.sun.security.ocsp.timeout system property is also not set, then its default 15 second timeout is propagated to the default for com.sun.security.ocsp.readtimeout.
If an entry is removed from a signed JAR file, there is no mechanism to detect that it has been removed using the JarFile API, since the getJarEntry method returns null as if the entry had never existed. With this change, the jarsigner -verify command analyzes the signature files and if some sections do not have matching file entries, it prints out the following warning: "This JAR contains signed entries for files that do not exist". Users can further find out the names of these entries by adding the -verbose option to the command.
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 21.0.8:| # | JBS | Component/Subcomponent | Summary |
|---|---|---|---|
| 1 | JDK-8348597 | client-libs/2d | Update HarfBuzz to 10.4.0 |
| 2 | JDK-8348596 | client-libs/2d | Update FreeType to 2.13.3 |
| 3 | JDK-8348600 | client-libs/java.awt | Update PipeWire to 1.3.81 |
| 4 | JDK-8348598 | client-libs/java.awt | Update Libpng to 1.6.47 |
| 5 | JDK-8280991 | client-libs/java.awt | [XWayland] No displayChanged event after setDisplayMode call |
| 6 | JDK-8286204 | client-libs/javax.accessibility | [Accessibility,macOS,VoiceOver] VoiceOver reads the spinner value 10 as 1 when user iterates to 10 for the first time on macOS |
| 7 | JDK-8345728 | client-libs/javax.accessibility | [Accessibility,macOS,Screen Magnifier]: JCheckbox unchecked state does not magnify but works for checked state |
| 8 | JDK-8348936 | client-libs/javax.accessibility | [Accessibility,macOS,VoiceOver] VoiceOver doesn't announce untick on toggling the checkbox with "space" key on macOS |
| 9 | JDK-6928542 | client-libs/javax.swing | Chinese characters in RTF are not decoded |
| 10 | JDK-8322754 | client-libs/javax.swing | click JComboBox when dialog about to close causes IllegalComponentStateException |
| 11 | JDK-8318915 | core-libs/java.math | Enhance checks in BigDecimal.toPlainString() |
| 12 | JDK-8335181 | core-libs/java.net | Incorrect handling of HTTP/2 GOAWAY frames in HttpClient |
| 13 | JDK-8343855 | core-libs/java.net | HTTP/2 ConnectionWindowUpdateSender may miss some unprocessed DataFrames from closed streams |
| 14 | JDK-8353787 | core-libs/java.util.jar | Increased number of SHA-384-Digest java.util.jar.Attributes$Name instances leading to higher memory footprint |
| 15 | JDK-8344589 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-11-19 |
| 16 | JDK-8356096 | core-libs/java.util:i18n | ISO 4217 Amendment 179 Update |
| 17 | JDK-8345296 | hotspot/compiler | AArch64: VM crashes with SIGILL when prctl is disallowed |
| 18 | JDK-8349637 | hotspot/compiler | Integer.numberOfLeadingZeros outputs incorrectly in certain cases |
| 19 | JDK-8308966 | hotspot/compiler | Add intrinsic for float/double modulo for x86 AVX2 and AVX512 |
| 20 | JDK-8314056 | hotspot/compiler | Remove runtime platform check from frem/drem |
| 21 | JDK-8336042 | hotspot/compiler | Caller/callee param size mismatch in deoptimization causes crash |
| 22 | JDK-8357105 | hotspot/compiler | C2: compilation fails with "assert(false) failed: empty program detected during loop optimization" |
| 23 | JDK-8332717 | hotspot/gc | ZGC: Division by zero in heuristics |
| 24 | JDK-8343285 | hotspot/runtime | java.lang.Process is unresponsive and CPU usage spikes to 100% |
| 25 | JDK-8343599 | hotspot/runtime | Kmem limit and max values swapped when printing container information |
| 26 | JDK-8320892 | hotspot/runtime | AArch64: Restore FPU control state after JNI |
| 27 | JDK-8339148 | hotspot/runtime | Make os::Linux::active_processor_count() public |
| 28 | JDK-8345569 | hotspot/runtime | [ubsan] adjustments to filemap.cpp and virtualspace.cpp for macOS aarch64 |
| 29 | JDK-8319650 | hotspot/svc | Improve heap dump performance with class metadata caching |
| 30 | JDK-8320924 | hotspot/svc | Improve heap dump performance by optimizing archived object checks |
| 31 | JDK-8311546 | security-libs/java.security | Certificate name constraints improperly validated with leading period |
| 32 | JDK-8344361 | security-libs/java.security | Restore null return for invalid services from legacy providers |
| 33 | JDK-8332921 | tools/jshell | Ctrl+C does not call shutdown hooks after JLine upgrade |