JDK 27 Early-Access Release Notes

The underlying SHA-3 intrinsics operations have been optimized for ML-KEM and ML-DSA algorithms in this release which has resulted in noticeable performance improvements for key generation, KEM decapsulation/encapsulation, and signing/verification as follows:

1. AVX-512
   • ML-KEM Key generation: +48%
   • ML-KEM Decapsulation: +47%
   • ML-KEM Encapsulation: +46%
   • ML-DSA Key generation: +60%
   • ML-DSA Signing: +38%
   • ML-DSA Verification: +74%

ffdhe6144 and ffdhe8192 were removed from the default list of TLS named groups, as they are almost never used in practice and require additional host resources to process. You can add them to the default list of named groups by setting the system property jdk.tls.namedGroups or by calling the SSLParameters::setNamedGroups method when configuring a TLS socket connection.

The experimental JVM Compiler Interface (JVMCI) has been removed in this release. These changes include the removal of JVMCI code from HotSpot JVM, modules jdk.internal.vm.ci jdk.graal.compiler and jdk.graal.compile.management, the JVMCI-specific JIT-compilation policies, configure feature selection flags, and all flags containing the string "JVMCI" as well as -XX:+UseGraalJIT.

The JVMCI offered an experimental internal Java API that allowed writing a JIT compiler in Java that could be invoked by Hotspot. After more than a decade of experimentation, its maintenance and testing costs in the JDK outweighed the benefit to the limited set of downstream use cases it served. Downstream projects that depend on JVMCI should carry and maintain it in their own downstream trees or stay on previous releases of the JDK.

A Bash autocompletion script for the jcmd diagnostic tool has been added.

On Linux, to enable autocompletion, at a Bash prompt, run source <JDK_HOME>/conf/bash-completion/jcmd. For system-wide availability, place the script in the '/usr/share/bash-completion/completions/' folder.

Compact Object Headers are a feature introduced in JDK 24 under JEP 450 link: https://openjdk.org/jeps/450. This feature is now enabled by default, which reduces the Java heap footprint of applications and potentially provides performance benefits.

This feature can still be disabled by using the flag -XX:-UseCompactObjectHeaders. This flag is planned to be deprecated and removed in a future release.

The CDS archives for the JDK image called classes_coh.jsa and classes_nocoops_coh.jsa are provided to allow equivalent startup performance and are configured with the default UseCompactObjectHeaders turned on. Alternate CDS archives are provided if the feature is turned off.

The JNDI/LDAP service provider, belonging to the java.naming module in the JDK, will no longer have any values set by default for the java.naming.factory.control, java.naming.factory.object and java.naming.factory.state standard JNDI properties.

These standard JNDI properties, that specify lists of JNDI factories, were previously being set by the LDAP service provider to class names of classes that did not belong to the JDK. Those classes may have been part of the application classpath. With this change, such applications will no longer see those factories being used.

Applications that may have been relying on these 3 JNDI properties being set by the LDAP service provider are expected to set these values themselves, by following the documentation of javax.naming.Context.

The following root certificates have been added to the cacerts truststore:

+ WISeKey
 + wisekeyglobalrootgbca
 DN: CN=OISTE WISeKey Global Root GB CA, OU=OISTE Foundation Endorsed, O=WISeKey, C=CH

+ WISeKey
 + wisekeyglobalrootgcca
 DN: CN=OISTE WISeKey Global Root GC CA, OU=OISTE Foundation Endorsed, O=WISeKey, C=CH

The command line option -XX:InitiatingHeapOccupancyPercent has been renamed to -XX:G1IHOP to reflect its usage with the G1 garbage collector.

The old option -XX:InitiatingHeapOccupancyPercent is still available for backwards compatibility; this alias is now deprecated.

The locale data based on the Unicode Consortium's CLDR has been upgraded to version 48.2. Besides the usual addition of new locale data and translation changes, there are notable changes from the upstream CLDR, affecting Date/Time/Number formats:

CLDR-19106 Unreadable date + times in zh_Hant and yue

CLDR-13986 fr_CH: Formatting should be CHF XXX'XXX.00 in my opinion

CLDR-19280 BC moving to permanent DST

Note that locale data is subject to change in a future release of the CLDR. Although not all locale data changes affect the JDK, users should not assume stability across releases. For more details, please refer to the Unicode Consortium's CLDR release notes and their locale data deltas.

The javadoc tool now recursively copies subdirectories of doc-files directories to the generated output. The -docfilessubdirs option, which was previously used to enable this behavior, is no longer required and may be removed in a future release.

The -excludedocfilessubdir option now supports * as an argument to exclude all doc-files subdirectories from being copied, thereby restoring the previous default behavior.

The java launcher options -noclassgc, -noverify, -verifyremote and the -Xverify:none HotSpot VM option which had been deprecated, are now removed.

Applications that were using -noclassgc when launching java may consider using its equivalent -Xnoclassgc instead. Similarly, applications that were using -verifyremote may consider using -Xverify:remote instead.

There's no replacement for -noverify or -Xverify:none options and applications should no longer use them.

Obsolete localized resource files are now removed from the JDK source repository.

The JDK includes localized resource files for a number of components. However, apart from English, Japanese, German, and Simplified Chinese, the other localized resource files are unmaintained. Over time, these files are falling out of sync from their English counterparts. For example, in builds that include these unmaintained resource files, the output of the java launcher's --help option would not contain information for --enable-preview in unmaintained languages.

These localized resource files are now removed. The exception to this change is the java.desktop module, whose unmaintained localized resource files will remain available. As a result, users of builds that previously exposed messages in an unmaintained language may see English output instead. Users of Oracle JDK builds are not affected by this change, as unmaintained localized resource files have been excluded since JDK 11.

The JDK now supports TLS 1.3 Certificate Compression (RFC 8879 for the zlib compression algorithm. This can reduce the size of certificate chains exchanged in TLS handshakes. The brotli and zstd compression algorithms are not supported.

TLS Certificate Compression is enabled by default. To disable it, the jdk.tls.client.disableExtensions and jdk.tls.server.disableExtensions system properties can be modified to include compress_certificate extension. Examples of the Java command-line parameters to disable TLS Certificate Compression on the client and on the server side respectively, are as follows:

-Djdk.tls.client.disableExtensions=compress_certificate -Djdk.tls.server.disableExtensions=compress_certificate

The "HSS/LMS" signature algorithm now supports the additional parameter sets defined in RFC 9858, in addition to those originally defined in RFC 8554. These new parameter sets can produce smaller signatures.

A new diagnostic command, VM.security_properties, has been added to the jcmd tool. This command prints the current set of Java security properties for a running JVM process, similar to the existing VM.system_properties command for system properties. This enhancement provides an easy and scriptable way to diagnose and troubleshoot security-related configuration issues in production and development environments.

ServiceLoader is changed so that iteration over service providers now consistently throws ServiceConfigurationError when NoClassDefFoundError or other linkage errors are encountered. ServiceConfigurationError is also thrown when consuming a stream of service providers and a linkage error is encountered.

The Thread delivering events to javax.naming.event.NamingListeners, enrolled with a javax.naming.ldap.LdapContext, will now have its thread context class loader set to the system class loader.

The JSON format thread dump generated by com.sun.management.HotSpotDiagnosticMXBean.dumpThreads, and the jcmd Thread.dump_to_file command, now generate the JSON value for thread identifiers, thread counts, and the process identifier as numbers, e.g. { "tid": 3, .. }. The values were previously generated as strings. Programs that parse the JSON format thread dump may need to be updated.

As part of the change, the threadDump object now has a member named formatVersion, with value 2, for the thread dump format. The value will be updated as the thread dump format evolves.

A new security property, jdk.security.password.allowSystemIn, has been added to control whether the Java platform can read passwords from the standard input stream if a console is not available. This typically represents a redirected file or an interprocess pipe. If the property is set to false, attempting to read passwords from the standard input stream without a console will throw an exception. The default value is true. This default may change in a future release.

The property applies to tools that prompt for passwords such as keytool and jarsigner, and to PasswordCallback objects processed by TextCallbackHandler.

javac now enforces JLS rules for trailing ASCII SUB (U+001A, control-Z) characters in source files. If U+001A appears and any additional characters follow it, those trailing characters are no longer silently ignored; they are treated as illegal input.

ZipOutputStream::putNextEntry now throws ZipException when a ZipEntry name or comment string contains unmappable characters and cannot be encoded using the charset of the ZipOutputStream.

Before this release, an unmappable name would cause ZipOutputStream::putNextEntry to throw an IllegalArgumentException. Similarly, an unmappable comment would cause an IllegalArgumentException to be thrown from ZipOutputStream::finish or ZipOutputStream::close.

Any code catching IllegalArgumentException for such format errors should be updated to instead catch the specified ZipException.

The java launcher will now correctly determine which main method to invoke when a package-private main method is defined in a different package from the class being launched. Such a main method will no longer be invoked by the java launcher.

The HotSpot JVM optionUseCompressedClassPointers was deprecated in JDK 25, and is now obsolete in JDK 27. If you use this option on the Java command line, either to enable or disable, you will get a warning: Ignoring option UseCompressedClassPointers; support was removed in 27.0.

The JVM now always compresses class pointers in Java objects.

The underlying Curve25519 operations have been optimized in this release which has resulted in noticeable performance improvements for the X25519 key agreement algorithm and the Ed25519 signature algorithm as follows:

1. AArch64 architecture
   • X25519 Key generation: +55%
   • X25519 Decapsulation: +51%
   • X25519 Encapsulation: +51%
   • TLS handshake with X25519 - resumption: +36%
   • TLS handshake with X25519 - no resumption: +17%
   • Ed25519 Key generation: +48%
   • Ed25519 Signing: +49%
2. x86-64 architecture
   • X25519 Key generation: +50%
   • X25519 Decapsulation: +50%
   • X25519 Encapsulation: +50%
   • TLS handshake with X25519 - resumption: +28%
   • TLS handshake with X25519 - no resumption: +14%
   • Ed25519 Key generation: +46%
   • Ed25519 Signing: +46%

The output of the jcmd 'VM.info' diagnostic command and HotSpot fatal error (hs_err_pid) logs now include the current number of open file descriptors for the running Java process. On supported platforms, the new output shows the active file descriptor count (e.g., Open File Descriptors: 52) in the SYSTEM section. This enhancement improves the ability to diagnose and troubleshoot resource exhaustion and “Too many open files” issues on Unix platforms.

Note that the maximum file descriptor limit for the process is already printed in the same output, and can be found as the NOFILE value (e.g., NOFILE 10240/infinity).

The Foreign Function and Memory API now supports initializing the thread-local execution state before downcalls. This complements the preexisting call state capturing mechanism, which can already be used to read thread-local execution state after downcalls. The structure and contents of the execution state are platform-dependent and described by Linker.Option::captureStateLayout().

When call state capturing is enabled through Linker.Option::captureCallState(String... capturedState), a memory segment acts as a buffer for the thread-local data. Prior to the downcall, the contents of the buffer are used to initialize thread-local data. Immediately after the downcall, the thread-local data is copied into the buffer.

See Linker.Option::captureCallState(String... capturedState) in the JavaDoc API documentation for further information and a usage example

The implementation of DocTrees.getElement(DocTreePath) has been updated to align more closely with the javax.lang.model API. In particular, the method now returns null when the argument refers to a primitive or array type. Previously, it returned an invalid TypeElement for primitive types and the component type for array types.

You can use DocTrees.getType(DocTreePath) to obtain valid TypeMirror instances for DocTreePath instances referring to primitive or array types.

RuntimeMXBean.getInputArguments() now adds the -XX: prefix for arguments passed via a settings file. RuntimeMXBean.getInputArguments() returns arguments passed on the command-line as well as any given via settings files (-XX:Flags=<path>). Previously, arguments from a settings file were returned without the -XX: prefix, for example +UseG1GC. Now, these arguments are returned with the -XX: prefix, for example -XX:+UseG1GC.

The Serviceability Agent printmdo command has been removed. The 'printmdo' is a sub-command of the clhsdb tool used for displaying MethodData, which is JVM internal compiler information.

Empty subsets of TreeMap and TreeSet now throw NullPointerException when passing a null action to Stream.forEach, Spliterator.forEachRemaining or Spliterator.tryAdvance. In prior releases, implementations of Spliterator and Stream for subsets of TreeMap and TreeSet returned false or completed normally when passed a null action if the subset was empty, instead of throwing NullPointerException as required by the specification.

The Trees API model (a JDK-specific public API) for modeling the Java source code has been changed to more precisely model variables with inferred types. See com.sun.source.tree.VariableTree.getType() for details.

Type annotations, in particular, annotations that are not applicable for local variables and parameter declarations and have @Target(TYPE_USE), will now be consistently rejected for all variables with inferred types (that is, using var). This includes lambda parameters and for-each variables.

The behavior of the JDK built-in com.sun.net.httpserver.HttpServer implementation, when matching an incoming request path to an HttpContext path, is switched from string prefix matching to path prefix matching. This means the request path must begin with the context path, and all matching path segments must be identical. For instance, the context path /foo would match request paths /foo, /foo/, and /foo/bar, but not /foobar. The old behavior, string prefix matching, can be enabled using the newly introduced sun.net.httpserver.pathMatcher system property. This property and the ability to restore the old behavior may be removed in a future release.

The parsing of the javax.net.debug system property for TLS/SSL debug logging has been updated to strictly enforce documented option and sub-option relationships. Sub-options such as verbose, packet, and plaintext now require their respective parent options, and only valid combinations have an effect. Invalid or unsupported combinations are silently ignored.

Previously, some sub-options could be used independently or in incorrect combinations, contrary to the intended design. The help message (-Djavax.net.debug=help) has also been updated to accurately reflect all supported and obsolete entries.

Users who previously relied on undocumented or invalid combinations (for example, specifying only -Djavax.net.debug=verbose) will need to update their configurations to match the documented usage. Please refer to the updated help output for the current list of valid options and examples of correct usage.

The default time zone returned by TimeZone.getDefault() on Windows now reflects the latest IANA TZ database IDs, aligning with current IANA definitions. Previously, for some regions, such as India, the method returned obsolete IDs (e.g., "Asia/Calcutta"), but it now correctly returns the current IDs (e.g., "Asia/Kolkata")

New methods have been added to the KeyStore and KeyStoreSpi classes that return the creation dates of alias entries as java.time.Instant values: KeyStore::getCreationInstant and KeyStoreSpi::engineGetCreationInstant.

Predefined ISO-8601 based formatters in the DateTimeFormatter class that accept zone offsets (for example, ISO_DATE) now support short zone offsets for parsing. In previous releases, parsing offsets without seconds or nanoseconds (for example, +01) resulted in a DateTimeParseException with some ISO formatters. These offsets are now parsed successfully by all predefined ISO formatters that accept zone offsets.

The JDK now encodes ML-KEM and ML-DSA private keys in PKCS #8 format using the DER-encoded ASN.1 CHOICE formats defined in Section 6, "Private Key Format" of RFC 9935 and Section 6, "Private Key Format" of RFC 9881. Two new security properties, jdk.mlkem.pkcs8.encoding and jdk.mldsa.pkcs8.encoding, control the encoding used when generating new keys with a KeyPairGenerator or when translating keys with a KeyFactory. Valid values are seed, expandedKey, and both (case-insensitive). If a system property of the same name is also specified, it supersedes the security property value. All three formats are supported when decoding previously encoded private keys with a KeyFactory.

When these algorithms were introduced in JDK 24, the encoding format was equivalent to the expandedKey value. This release changes the default value to seed. As a result, ML-KEM and ML-DSA private keys generated by this JDK release will not be accepted by older releases by default, although keys generated by older releases are still readable by this release. To make a newly generated private key acceptable to older releases, set the relevant property to expandedKey and use KeyFactory.translateKey to convert the key to the older format.

TLS 1.3 key agreement has been changed to use the Generic key algorithm for Diffie-Hellman shared secrets instead of the TlsPremasterSecret algorithm. This implementation detail should be transparent to the users of the SunJSSE provider, but it may cause handshake failures when using JCE providers that do not support Generic keys.

In case of compatibility issues, the original behavior can be restored by setting the system property jdk.tls.t13KeyDerivationAlgorithm to TlsPremasterSecret.

The G1 garbage collector changes the default values of the -XX:MinHeapFreeRatio and -XX:MaxHeapFreeRatio options to 0 and 100 (from 40 and 70), respectively. As a result, these options no longer affect G1 heap resizing unless explicitly set by the user.

Previously, the default values could trigger heap expansion or shrinking after a Full GC, potentially causing unnecessary heap resizing, particularly for applications that frequently invoke System.gc().

Applications that explicitly set -XX:MinHeapFreeRatio or -XX:MaxHeapFreeRatio retain heap resizing behavior based on those settings.

Hybrid key exchange algorithms for TLS 1.3 have been implemented, enhancing the security of Java applications that require secure network communication. These algorithms defend against future quantum computing attacks by combining a quantum-resistant algorithm with a traditional algorithm. Applications that use the javax.net.ssl APIs will benefit from these improved algorithms by default, without requiring any code changes.

The following three new hybrid key exchange algorithms are supported: X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024. Of these, only X25519MLKEM768 is placed at the front of the default named groups list, making it the most preferred group.

For more details, see JEP 527: Post-Quantum Hybrid Key Exchange for TLS 1.3.

The finalize() method has been removed from java.util.concurrent.ThreadPoolExecutor.

ThreadPoolExecutor.finalize() was deprecated in JDK 9 as part of deprecating finalization for removal JEP 421. The method was re-specified in JDK 11 to "do nothing" and deprecated for removal in JDK 18.

The removal of this method means that any existing code that extends ThreadPoolExecutor and overrides finalize() to call super.finalize() (or calls finalize() directly) will now call Object.finalize(). This code may no longer compile as Object.finalize() throws Throwable whereas the removed ThreadPoolExecutor.finalize() did not declare any checked exceptions. Developers are strongly encouraged to stop using finalization but if necessary, the source compatibility issue can be worked around using a try-catch.

Support for the java.locale.useOldISOCodes system property in the java.util.Locale class has been removed. Originally introduced in JDK 17, this property allowed applications to revert to legacy ISO 639 language codes ("iw" for Hebrew, "ji" for Yiddish, and "in" for Indonesian). It was deprecated in JDK 25 and, starting with JDK 27, specifying this property has no effect and triggers a warning at runtime. Users who still rely on the old codes are encouraged to transition to the current standard codes: "he" for Hebrew, "yi" for Yiddish, and "id" for Indonesian.