JDK 21.0.10 Release Notes
Java™ SE Development Kit 21.0.10 (JDK 21.0.10)
January 20, 2026
The full version string for this update release is 21.0.10+8 (where "+" means "build"). The version number is 21.0.10. This JDK conforms to version 21 of the Java SE Specification (JSR 396 2023-09-19).
IANA TZ Data 2025b
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 21.0.10 are specified in the following table:
| Java Family Version | Security Baseline (Full Version String) |
|---|---|
| 21 | 21.0.10+8 |
| 17 | 17.0.18+8 |
| 11 | 11.0.30+7 |
| 8 | 1.8.0_481-b10 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 21.0.10) be used after the next critical patch update scheduled for April 21, 2026.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
Availability of Oracle JDK 21 under NFTC
Oracle JDK 21 LTS, released in September 2023, has been permissively licensed under the free Java license and will continue to be so until one year after the subsequent LTS release. Oracle designated Oracle JDK 25, released in September of 2025, as a Long Term Support (LTS) release. Therefore, update releases of Oracle JDK 21 after September of 2026 will switch to the Java SE OTN license, the same license under which we offer updates to Java 8, 11, and 17. Users wishing to receive updates of the Oracle JDK under the free Java license should migrate to Oracle JDK 25.
New Features
RMI will use TLS connections if the javax.rmi.ssl.SslRMIClientSocketFactory class is used. These connections now have TLS endpoint identification enabled by default. This may cause some previously-working TLS connections to fail. If this occurs, ensure that the certificate presented by the server has a Subject Alternative Name that matches the server's hostname. Alternatively, endpoint identification for RMI TLS connections can be disabled on the client side by setting the jdk.rmi.ssl.client.enableEndpointIdentification system property to false.
Other Notes
The SHA-1 algorithm has been disabled by default in TLS 1.2 and DTLS 1.2 handshake signatures, by adding "rsa_pkcs1_sha1 usage HandshakeSignature, ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage HandshakeSignature" to the jdk.tls.disabledAlgorithms security property in the java.security config file. RFC 9155 deprecates the use of SHA-1 in TLS 1.2 and DTLS 1.2 digital signatures. Users can, at their own risk, re-enable the SHA-1 algorithm in TLS 1.2 and DTLS 1.2 handshake signatures by removing "rsa_pkcs1_sha1 usage HandshakeSignature, ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage HandshakeSignature" from the jdk.tls.disabledAlgorithms security property.
For the JDK11+ LTS families, the JDK will install into a version-specific installation directory by default. The installation directory of 11+ will have a - before the version-specific string to keep consistency with the past 11+ conventions per family. A junction, also known as a symlink for Windows, will also be created in a "latest" directory. It will point to the latest version of that family. Here is a breakdown example of installation and junction locations 11+ families:
| Version | Installation Directory | Junction Location |
|---|---|---|
| jdk25.0.2 | C:\Program Files\Java\jdk-25.0.2 |
C:\Program Files\Java\latest\jdk-25 |
| jdk17.0.18 | C:\Program Files\Java\jdk-17.0.18 |
C:\Program Files\Java\latest\jdk-17 |
| jdk11.0.30 | C:\Program Files\Java\jdk-11.0.30 |
C:\Program Files\Java\latest\jdk-11 |
Each junction will always point to the latest JDK of the matching LTS family. The junction for each family will be removed when the last JDK of the matching LTS family is uninstalled.
jcmd command will be available in the headless JDK RPM instead of the headful JDK RPM.
It will be added to the java alternatives group instead of the javac alternatives group.
The TLS_RSA cipher suites have been disabled by default, by adding "TLS_RSA_" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. The TLS_RSA cipher suites do not preserve forward-secrecy and are not commonly used. Some TLS_RSA cipher suites are already disabled because they use DES, 3DES, RC4, or NULL, which are disabled. This action disables all remaining TLS_RSA cipher suites. Any attempts to use cipher suites starting with "TLS_RSA_" will fail with an SSLHandshakeException. Users can, at their own risk, re-enable these cipher suites by removing "TLS_RSA_" from the jdk.tls.disabledAlgorithms security property. The following previously enabled cipher suites are now disabled:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
On Debian-based Linux distributions such as Ubuntu, the /etc/timezone file was previously used to determine the JDK's default time zone (TimeZone.getDefault()). According to Debian's Wiki, /etc/localtime is now the primary source for the system's default time zone, making /etc/timezone redundant. As a result, the JDK's default time zone detection logic has been updated to use /etc/localtime instead of /etc/timezone. If /etc/localtime and /etc/timezone are inconsistent for any reason, the JDK's default time zone is now determined solely based on /etc/localtime file.
A new system and security property, com.sun.security.allowedAIALocations, has been introduced. This property allows users the ability to define one or more filtering rules to be applied to URIs obtained from the authority info access extension on X.509 certificates. These filter rules are applied specifically to the CA issuers access method. Any CA issuers URIs in X.509 certificates are only followed when the com.sun.security.enableAIAcaIssuers system property is enabled and the filter allows the URI.
In order to set the rules, the user must set either the com.sun.security.allowedAIALocations security property or the system property by the same name. If the system property has a value, it will override the security property. By default the property is blank, which enacts a deny-all ruleset.
For either property, the value consists of a set of space-separated rules that take the form of a URI, with the following constraints:
- The URI must be absolute and hierarchical.
- The URI must only use one of the following schemes: http, https, ldap, or ftp (case-insensitive).
- A hostname or address must be specified and must match (case-insensitive). No name resolution is performed on hostnames to match URIs with IP addresses.
- The port number must match. Where a port number is omitted, the well-known port will be used in the comparison.
- For hierarchical schemes (http[s], ftp):
- A rule's normalized path portion of the URI is matched in a case-sensitive manner. If the final component does not end in a slash (/), it is considered to be a file path and must match the CA issuer URI path component. If the rule's path component ends in a slash, then it must match or be a prefix of the CA issuer URI path component. (for example, a filter path of
/ab/cd/will match a CA issuer path of/ab/cd/,/ab/cd/efand/ab/cd/ef/ghi.). - Query strings and fragments will be ignored when matching CA issuer URIs.
- A rule's normalized path portion of the URI is matched in a case-sensitive manner. If the final component does not end in a slash (/), it is considered to be a file path and must match the CA issuer URI path component. If the rule's path component ends in a slash, then it must match or be a prefix of the CA issuer URI path component. (for example, a filter path of
- For ldap URIs:
- The base DN must be an exact match (case-insensitive).
- Any query string in the rule, if specified, will be ignored.
For the properties, a single value of "any" (case-insensitive) will create an allow-all rule.
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 21.0.10:| # | JBS | Component/Subcomponent | Summary |
|---|---|---|---|
| 1 | JDK-8334509 | client-libs/2d | Cancelling PageDialog does not return the same PageFormat object |
| 2 | JDK-8361748 | client-libs/2d | Enforce limits on the size of an XBM image |
| 3 | JDK-8324491 | client-libs/java.awt | Keyboard layout didn't keep its state if it was changed when dialog was active |
| 4 | JDK-8354646 | client-libs/java.awt | java.awt.TextField allows to identify the spaces in a password when double clicked at the starting and end of the text |
| 5 | JDK-8350813 | client-libs/javax.sound | Rendering of bulky sound bank from MIDI sequence can cause OutOfMemoryError |
| 6 | JDK-8140527 | client-libs/javax.swing | JInternalFrame has incorrect title button width |
| 7 | JDK-8139228 | client-libs/javax.swing | JFileChooser renders file names as HTML document |
| 8 | JDK-8358532 | client-libs/javax.swing | JFileChooser in GTK L&F still displays HTML filename |
| 9 | JDK-8210807 | client-libs/javax.swing | Printing a JTable with a JScrollPane prints table without rows populated |
| 10 | JDK-8322135 | client-libs/javax.swing | Printing JTable in Windows L&F throws InternalError: HTHEME is null |
| 11 | JDK-8349188 | client-libs/javax.swing | LineBorder does not scale correctly |
| 12 | JDK-8358813 | client-libs/javax.swing | JPasswordField identifies spaces in password via delete shortcuts |
| 13 | JDK-8370465 | client-libs/javax.swing | Right to Left Orientation Issues with MenuItem Component |
| 14 | JDK-8365086 | core-libs/java.net | CookieStore.getURIs() and get(URI) should return an immutable List |
| 15 | JDK-8369184 | core-libs/java.util:i18n | SimpleTimeZone equals() Returns True for Unequal Instances with Different hashCode Values |
| 16 | JDK-8328085 | hotspot/compiler | C2: Use after free in PhaseChaitin::Register_Allocate() |
| 17 | JDK-8364993 | hotspot/jfr | JFR: Disable jdk.ModuleExport in default.jfc |
| 18 | JDK-8364556 | hotspot/jfr | JFR: Disable SymbolTableStatistics and StringTableStatistics in default.jfc |
| 19 | JDK-8328997 | hotspot/runtime | Remove unnecessary template parameter lists in GrowableArray |
| 20 | JDK-8317132 | hotspot/runtime | Prepare HotSpot for permissive- |
| 21 | JDK-8361447 | hotspot/runtime | [REDO] Checked version of JNI Release<type>ArrayElements needs to filter out known wrapped arrays |
| 22 | JDK-8364235 | hotspot/runtime | Fix for JDK-8361447 breaks the alignment requirements for GuardedMemory |
| 23 | JDK-8302744 | hotspot/runtime | Refactor Hotspot container detection code |
| 24 | JDK-8364660 | hotspot/runtime | ClassVerifier::ends_in_athrow() should be removed |
| 25 | JDK-8306579 | infrastructure/other | Consider building with /Zc:throwingNew |
| 26 | JDK-8342958 | performance/libraries | Use jvmArgs consistently in microbenchmarks |
| 27 | JDK-8317332 | security-libs/java.security | Prepare security for permissive- |
| 28 | JDK-8325680 | security-libs/org.ietf.jgss | Uninitialised memory in deleteGSSCB of GSSLibStub.c:179 |
| 29 | JDK-8365790 | tools/jpackage | Shutdown hook for application image does not work on Windows |