JDK 24.0.2 Release Notes
Java™ SE Development Kit 24.0.2 (JDK 24.0.2)
Release date: July 15, 2025
The full version string for this update release is 24.0.2+12 (where "+" means "build"). The version number is 24.0.2. This JDK conforms to version 24 of the Java SE Specification (JSR 399 2025-03-18).
IANA TZ Data 2025b
JDK 24.0.2 contains IANA time zone data 2025b which contains the following changes:
- New zone for Aysén Region in Chile which moves from -04/-03 to -03.
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime at the time of the release of JDK 24.0.2 are specified in the following table:
| Java Family Version | Security Baseline (Full Version String) |
|---|---|
| 24 | 24.0.2+12 |
| 21 | 21.0.8+12 |
| 17 | 17.0.16+12 |
| 11 | 11.0.28+12 |
| 8 | 1.8.0_461-b11 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 24.0.2) be used after the next critical patch update scheduled for October 21, 2025.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
Removed Features and Options
The following expired root certificate has been removed from the cacerts keystore:
+ alias name "baltimorecybertrustca [jdk]"
Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
The following root certificates, which are terminated and no longer in use, have been removed from the cacerts keystore:
+ alias name "camerfirmachamberscommerceca [jdk]"
Distinguished Name: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
+ alias name "camerfirmachambersignca [jdk]"
Distinguished Name: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Other Notes
The following root certificates have been added to the cacerts truststore:
+ Sectigo Limited
+ sectigocodesignroote46
DN: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB
+ Sectigo Limited
+ sectigocodesignrootr46
DN: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB
+ Sectigo Limited
+ sectigotlsroote46
DN: CN=Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB
+ Sectigo Limited
+ sectigotlsrootr46
DN: CN=Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB
The oracle.com JDK RPM packages meant to be downloaded directly to the target system, now are signed with the OL9 signing key instead of the OL8 signing key. The RPM packages hosted on YUM repositories remain signed with the appropriate key for the target repository.
Starting with JDK 25, jpackage no longer includes service bindings for a run-time image that it creates. Prior to JDK 25, jpackage would include service bindings for run-time images. As a result, the generated run-time images produced by jpackage might not include the same set of modules as it did in prior versions.
The previous behavior can be achieved by adding the --bind-services jlink option to the default jlink options jpackage uses:
jpackage [...] --jlink-options \
"--strip-native-commands --strip-debug --no-man-pages --no-header-files --bind-services"
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 24.0.2:| # | JBS | Component/Subcomponent | Summary |
|---|---|---|---|
| 1 | JDK-8347377 | client-libs/2d | Add validation checks for ICC_Profile header fields |
| 2 | JDK-8343224 | client-libs/2d | print/Dialog/PaperSizeError.java fails with MediaSizeName is not A4: A4 |
| 3 | JDK-8330936 | client-libs/2d | [ubsan] exclude function BilinearInterp and ShapeSINextSpan in libawt java2d from ubsan checks |
| 4 | JDK-8348597 | client-libs/2d | Update HarfBuzz to 10.4.0 |
| 5 | JDK-8348596 | client-libs/2d | Update FreeType to 2.13.3 |
| 6 | JDK-8348600 | client-libs/java.awt | Update PipeWire to 1.3.81 |
| 7 | JDK-8348598 | client-libs/java.awt | Update Libpng to 1.6.47 |
| 8 | JDK-8349378 | client-libs/java.awt | Build splashscreen lib with SIZE optimization |
| 9 | JDK-8280991 | client-libs/java.awt | [XWayland] No displayChanged event after setDisplayMode call |
| 10 | JDK-8286204 | client-libs/javax.accessibility | [Accessibility,macOS,VoiceOver] VoiceOver reads the spinner value 10 as 1 when user iterates to 10 for the first time on macOS |
| 11 | JDK-8345728 | client-libs/javax.accessibility | [Accessibility,macOS,Screen Magnifier]: JCheckbox unchecked state does not magnify but works for checked state |
| 12 | JDK-8348936 | client-libs/javax.accessibility | [Accessibility,macOS,VoiceOver] VoiceOver doesn't announce untick on toggling the checkbox with "space" key on macOS |
| 13 | JDK-8346705 | core-libs/java.net | SNI not sent with Java 22+ using java.net.http.HttpClient.Builder#sslParameters |
| 14 | JDK-8351233 | core-libs/java.util | [ASAN] avx2-emu-funcs.hpp:151:20: error: ‘D.82188’ is used uninitialized |
| 15 | JDK-8353787 | core-libs/java.util.jar | Increased number of SHA-384-Digest java.util.jar.Attributes$Name instances leading to higher memory footprint |
| 16 | JDK-8356096 | core-libs/java.util:i18n | ISO 4217 Amendment 179 Update |
| 17 | JDK-8347997 | hotspot/compiler | assert(false) failed: EA: missing memory path |
| 18 | JDK-8343978 | hotspot/compiler | Update the default value of CodeEntryAlignment for Ampere-1A and 1B |
| 19 | JDK-8348261 | hotspot/compiler | assert(n->is_Mem()) failed: memory node required |
| 20 | JDK-8347718 | hotspot/compiler | Unexpected NullPointerException in C2 compiled code due to ReduceAllocationMerges |
| 21 | JDK-8349637 | hotspot/compiler | Integer.numberOfLeadingZeros outputs incorrectly in certain cases |
| 22 | JDK-8346264 | hotspot/compiler | "Total compile time" counter should include time spent in failing/bailout compiles |
| 23 | JDK-8336042 | hotspot/compiler | Caller/callee param size mismatch in deoptimization causes crash |
| 24 | JDK-8350483 | hotspot/compiler | AArch64: turn on signum intrinsics by default on Ampere CPUs |
| 25 | JDK-8352508 | hotspot/gc | [Redo] G1: Pinned regions with pinned objects only reachable by native code crash VM |
| 26 | JDK-8351500 | hotspot/gc | G1: NUMA migrations cause crashes in region allocation |
| 27 | JDK-8353946 | hotspot/runtime | Incorrect WINDOWS ifdef in os::build_agent_function_name |
| 28 | JDK-8350313 | hotspot/runtime | Include timings for leaving safepoint in safepoint logging |
| 29 | JDK-8350201 | hotspot/runtime | Out of bounds access on Linux aarch64 in os::print_register_info |
| 30 | JDK-8343191 | hotspot/runtime | Cgroup v1 subsystem fails to set subsystem path |
| 31 | JDK-8345569 | hotspot/runtime | [ubsan] adjustments to filemap.cpp and virtualspace.cpp for macOS aarch64 |
| 32 | JDK-8349039 | hotspot/svc-agent | Adjust exception No type named <ThreadType> in database |
| 33 | JDK-8353185 | tools/jlink | Introduce the concept of upgradeable files in context of JEP 493 |
| 34 | JDK-8355524 | tools/jlink | Only every second line in upgradeable files is being used |