Java Ecosystem Update: OpenJDK Advancements, Security Patches, and Tooling Improvements

The Java ecosystem continues to evolve rapidly, with significant developments across the platform, tooling, and security landscapes. This month's updates bring important advances in language features, garbage collection improvements, security patches, and enhancements to developer tools that will impact Java applications in production environments.

OpenJDK Progress Toward JDK 27

The OpenJDK development process continues to advance with two significant JEPs moving forward in their lifecycle. JEP 532, "Primitive Types in Patterns, instanceof, and switch (Fifth Preview)," has been elevated from Candidate to Proposed to Target status for JDK 27. This feature represents the fifth iteration of pattern matching enhancements for primitive types, following previews in JDK 23 through JDK 26. The JEP extends pattern matching capabilities to include primitive types in all pattern contexts, and enhances the instanceof and switch constructs to work seamlessly with all primitive types.

"The pattern matching enhancements for primitive types represent a significant step toward more expressive and type-safe Java code," explains Mark Reinhold, Chief Architect at Oracle. "By allowing primitive types in pattern contexts, developers can write more concise and readable code while maintaining type safety."

The review for JEP 532 is expected to conclude on April 30, 2026, with the feature potentially becoming a standard part of JDK 27 if approved. This evolution of pattern matching could significantly impact how developers handle type checking and conditional logic in Java applications.

Simultaneously, JEP 535, "Shenandoah GC: Generational Mode by Default," has progressed from JEP Draft to Candidate status, with plans for inclusion in JDK 28. This JEP proposes to make generational mode the default configuration for the Shenandoah Garbage Collector, while deprecating the non-generational mode with plans for eventual removal. The generational mode, which segregates objects into young and old generations, typically provides better throughput for many applications by optimizing garbage collection cycles.

JDK 27 Release Schedule Finalized

With JDK 27 Build 19 now available, featuring fixes from Build 18, Mark Reinhold has formally announced the release schedule for JDK 27. The timeline follows Oracle's standard rampdown process:

• Rampdown Phase One (fork from main line): June 4, 2026
• Rampdown Phase Two: July 16, 2026
• Initial Release Candidate: August 6, 2026
• Final Release Candidate: August 20, 2026
• General Availability: September 14, 2026

Developers are encouraged to report bugs via the Java Bug Database during this period. The finalized schedule provides organizations with clarity on when to expect the production-ready release, allowing for planning of migration and testing activities.

Critical Security Patches Across JDK Providers

Oracle's quarterly Critical Patch Update (CPU) for April 2026 includes versions 25.0.3, 21.0.11, 17.0.19, 11.0.31, and 8u491 of the JDK. These patches address multiple security vulnerabilities that could be exploited in production environments. Organizations running older Java versions should prioritize upgrading to these patched releases to mitigate potential security risks.

Downstream JDK providers have coordinated with Oracle's release timeline, providing their own patched versions:

BellSoft's Liberica JDK has released CPU patches for versions 25.0.2.0.1, 21.0.10.0.1, 17.0.18.0.1, 11.0.30.0.1, 8u491, 7u501, and 6u501. Additionally, BellSoft has released Patch Set Update (PSU) versions 26.01, 25.0.3, 21.0.11, 17.0.19, 11.0.31, and 8u492, which include both CPU fixes and non-critical updates. With a total of 954 fixes and backports, BellSoft reports participation in eliminating 63 issues across all releases.

Azul's Zulu JDK has also released quarterly updates featuring versions 26.0.1, 25.0.3, 21.0.11, 17.0.19, and 11.0.31. These releases address the same CVEs as Oracle's patches, providing organizations with multiple options for obtaining secure JDK builds.

The coordination between Oracle and downstream providers ensures that organizations can choose their preferred JDK distribution while maintaining security across the Java ecosystem. This collaborative approach benefits the broader Java community by reducing fragmentation in security patching.

Jakarta EE and Framework Updates

Jakarta Persistence 4.0 has reached its second milestone release, delivering significant enhancements since the first milestone. Notable additions include:

• New specialized expression types: ComparableExpression and NumericExpression interfaces
• New metamodel attribute types: ComparableAttribute and NumericAttribute interfaces
• A new FetchOption interface for improved control over data fetching with EntityGraph

These enhancements provide developers with more granular control over persistence operations, particularly for complex queries involving comparable and numeric data types.

Spring Framework has seen a flurry of activity with first release candidates of multiple projects:

• Spring Boot
• Spring Security
• Spring Integration
• Spring Modulith
• Spring AMQP
• Spring for Apache Kafka
• Spring Vault

These releases represent significant updates to the Spring ecosystem, with potential impacts on how developers build and maintain Spring-based applications. Organizations using these technologies should evaluate the release candidates for compatibility with existing codebases.

Tooling Enhancements

Several key developer tools have received important updates:

Open Liberty 26.0.0.4 has reached general availability with notable improvements:

• Support for JDK 26, enabling developers to leverage the latest Java features
• Enhanced authentication through JWT signature algorithm selection from the JOSE header
• Removal of default Lightweight Third Party Authentication (LTPA) keys password, addressing CVE-2025-14917

The security fix in particular resolves a vulnerability present in Open Liberty versions 17.0.0.3 through 26.0.0.3 that could result in weaker than expected security when administering security settings. Organizations using affected versions should prioritize upgrading to 26.0.0.4.

Testcontainers for Java 2.0.5 introduces several valuable improvements:

• Support for the apache/artemis Docker image in the ArtemisContainer class
• New methods getHttpPort() and getGrpcPort() in WeaviateContainer for accessing ports 8080 and 50051
• Support for the !override tag in Docker Compose

These enhancements expand Testcontainers' capabilities for integration testing, particularly for applications using Artemis message broker and Weaviate vector database.

Multik 0.3.1, the multidimensional array library for Kotlin, provides bug fixes and dependency upgrades. Notably, this release removes the Kotlin/Native macosX64 target from all modules due to Apple's declaration of Intel MacBooks as obsolete. This change reflects the evolving hardware landscape and ensures compatibility with current development environments.

IntelliJ IDEA 2026.1.1 addresses several critical issues:

• Resolution of ClassCastException related to Gradle synchronization involving InternalIdeaModule and Gradle ProjectModel
• Fix for error connecting to WildFly administration process after server startup

These improvements enhance the development experience for Java developers using IntelliJ IDEA, particularly those working with Gradle-based projects and WildFly application servers.

Business Impact and Migration Considerations

The recent updates to the Java ecosystem present several considerations for organizations:

Security Implications: The critical patch releases from Oracle, BellSoft, and Azul address multiple CVEs that could be exploited in production environments. Organizations should prioritize upgrading to patched versions, particularly for applications exposed to untrusted networks or handling sensitive data.

Migration Planning: With JDK 27's general availability scheduled for September 2026, organizations should begin planning their migration paths. The new features in JDK 27, particularly the enhanced pattern matching for primitive types, may require code adjustments and testing. Organizations running long-term support (LTS) versions of Java should evaluate whether to migrate to JDK 21 or wait for JDK 17's end-of-life.

Tooling Updates: The improvements in Open Liberty, Testcontainers, and IntelliJ IDEA can enhance developer productivity and application reliability. Organizations should evaluate these updates in non-production environments before adopting them in critical systems.

Hardware Compatibility: The removal of Intel Mac support in Multik highlights the importance of staying current with hardware compatibility requirements. Organizations with legacy hardware should assess their development environment needs and plan accordingly.

The coordinated approach to security patching across JDK providers demonstrates the strength of the Java ecosystem, providing organizations with flexibility while ensuring consistent security updates. As the Java platform continues to evolve, organizations should maintain awareness of these developments and plan their adoption strategies accordingly.

About the Author: Michael Redlich has been an active member within the Java community for the past 25 years. He founded the Garden State Java User Group in 2001 and has served as a Java community news editor for InfoQ since 2016. A Java Champion named in April 2023, Mike also serves as a committer on the Jakarta NoSQL and Jakarta Data specifications and participates on the leadership council of the Jakarta EE Ambassadors.