It's that time again: there are new Oracle JVM updates released today (Jan 20, 2026) for the current long-term support (LTS) releases of Oracle Java, 8, 11, 17, 21, and 25. (Yep, kind of crazy that there are for now 5 current Oracle Java "LTS" releases, for historical reasons.)

TLDR: The new updates are 1.8.0_481 (aka 8u481), 11.0.30, 17.0.18, 21.0.10, and 25.0.2, respectively. More on the updates below, including links to more info on each of them including what changed, bug fixes, and the security fixes each version contains. (I also offer a quick assessment of the changes listed for the updates.)

Also, openjdk updates are usually released at the same time or soon after, so this info may help users of such alternative JDK implementations.

For some folks, the above is all they need to hear. For others, whether this your first time updating Java or your fiftieth, there are some things that you may or may not know, as I cover here.

Topics:

• Finding more info on these most recent Java updates
• Changes, in brief
• Finding more on security matters addressed in these Java updates
• Obtaining the JVM update, from Oracle or from Adobe
• Other topics you may be interested to know, and where I discuss them
• Wrapping up, getting more help

Note also that Oracle while calls these updates "critical patch updates" (yep, "CPU"), they are in fact scheduled quarterly updates (Jan, Apr, Jul, Oct, with specific dates listed here), so that the "critical" aspect of this nomenclature may sometimes be a bit overstated. See more below on the specific security changes. And as is generally the case with these Java updates, most of them have the same changes and fixes across the current LTS JVM versions, though not always.

Finding more info on these most recent Java updates

As for what changed in the updates, see the release notes for each of 1.8.0_481, 11.0.30, 17.0.18, 21.0.10, and 25.0.2. (Java 24 was last updated in Jul 2025 is now no longer updated by Oracle, as it was in effect a "short-term" release, supplanted by 25. Again, the others are what Oracle calls "long-term support" or LTS releases.)

These Oracle release notes have sections on topics such as "New Features", "Known Issues", "Issues Fixed", "Other notes", and "Bug Fixes"--each as may apply to that specific update, which is why I am not listing all these changes here. See the release note for the update you are considering applying. That said, some changes may indeed be (and typically are) found in all the current LTS versions.

Changes, in brief

Though I don't want to repeat the details in the technotes, here at least is a brief assessment of the changes, as I've compared them across all of the LTS versions that were updated. (I'll discuss security changes separately in the next section.)

Items in "New Features" section

First, note that all of the technotes for this update list just a single item under the "new features" section: 

• "Endpoint Identification Enabled By Default for RMI Connections Over TLS". This is, of course, about use of RMI to connect to Java. See the technote for more. (There's a related but different discussion in the "other notes" section, which I discuss below, about "Disabled TLS_RSA Cipher Suites".)

Items in "Other Notes" section

Here is a quick overview on the items listed in that section, though I present them in a different order here:

• "Windows Installers to Return to Full Version Directory and Use of Junction": this doesn't apply if you use the "zip" approach to installing new JVM versions, but if you use the Windows installer (exe), note that there had been an important change regarding how the Windows JDK installer worked starting with the Jan 2023 updates. I discussed that in a follow-up post after announcing that update, about the impact of that change, on Java11 and later. This new approach tries to address that...though I will note that if you rely on the new "junction" (referring to Java\latest\jdk-17,for instance), do beware that the same issue can happen, where --needing to stop any process that's configured to USE that jvm. Again, for more, see my other post.
• ""Disabled TLS_RSA Cipher Suites"": note that both this and the RMI issue above refer to how this update may break current processes where you have communication OUT of the jvm to servers that might still support TLS_RSA ciphers. Note that it also refers to how you can override this protection by modifying the java.security file, which it  doesn't clarify is found in conf/security in Java 11 and above,  but in lib/security in 8.
• For these two, "Changes to the Default Time Zone Detection on Debian-based Linux" and "Make jcmd Command Available in the Headless JDK RPM", see the info in the technote
• Same with these two, "Disabled SHA-1 in TLS 1.2 and DTLS 1.2 Handshake Signatures" and "Filter Rules for URIs in the Authority Info Access Extension for Certificates",though I will note also that these two are curiously NOT listed in the Java 25 technote (perhaps because they are changes already incorporated into 25 when it was created last year?)
• Finally, this one is listed in the Java 8 technote alone (which I find curious), "jcmd -l and jps Commands Do Not List Java Processes Running in Docker Containers"

Items in "Notable issues fixed" section

Only the Java 25 technote lists one of these, "-XX:+UseTransparentHugePages Again Enables Transparent Huge Pages for G1".

Items in "Bug fixes" section

Again, while I won't elaborate on them all, I will note finally that the "Bug fixes" list for each of the LTS version update technotes list bugs fixed, ranging from a low of 21 of them (for Java 8) to a high 51 of them (for Java 25).

What if you are skipping over other recent JVM updates?

Of course sometimes there is or is not much significant to the Java updates, or nothing may seem to apply to you, but note that if you may be skipping OVER Java updates to get to this one, then you DO need to consider also what was changed in THOSE updates. Of course, Oracle offers a technote for each update, and I offer a blog post like this on each. See my java category of posts.

Finding more on security matters addressed in these Java updates

As for security fixes included in this update, that's covered elsewhere. Unfortunately, I find often that when I get this post out on the day that the update comes out--and even though the release notes above are available for me to point to and assess--the details about the SECURITY changes seem delayed. But they WILL come, and perhaps will be there by the time you click the links I share next.

First, see the single document listing Java security fixes in this most recent update. That should take you to a section labelled "Oracle Java SE Risk Matrix", which is not yet there as I post this entry, but should be soon.

Second, see the Text Form of Risk Matrix for Oracle Java SE, which again should take you to a section labeled, "Text Form of Risk Matrix for Oracle Java SE"--but as I write the page gets a "we found a phone" 404 error. Both problems should be resolved by later today, from past experience.

As for that second link, pay close attention to "notes" offered there for each vulnerability, as that may temper the severity. (Note as well that while both these documents cover ALL Oracle products, I have offered in the first paragraph above links to the Java-specific sections of the pages. Focus on references to "Java SE" rather than any specific to GraalVM, which is not the focus of the discussion in this post.)

Watch also that many times the listed issues indicate that a vulnerability may be "difficult to exploit" and that many "[do] not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator)", which may reduce the concern for you about them depending on your perspective.

That said, these documents could also change between now and when you see this post, so it's your responsibility to assess that information carefully. And regardless of whether such vulnerabilities may seem to apply to you, generally folks should seek to keep their JVM updated, or at least avoid falling too far behind.

Obtaining the JVM update, from Oracle

As for obtaining downloads of Java updates, you can find all the current versions on this one page. Note that there are tabs for the installers for each supported OS (Linux, macOS, and Windows), both installers and zips/"compressed archives". (See the next section of my post here for yet another alternative.)

That said, note that while the TOP of the page offers the LATEST Java versions (Java 25, there is also a tab at the top next to 25 that offers Java 21).

As for the earlier LTS versions, those are offered FURTHER down the page (which is easy to miss). Here are direct links to get to those: Java 17, Java 11 and Java 8.

And while you DO need to sign in there to obtain the Java 17, 11 and 8 download files, an account is free. (The updates for Java 25 and above do NOT require a login on the Oracle site, and the Java 21 updates will not until Sept 2026--a year after Java 25 was released.) All this has to do with licensing of Java, which is beyond the scope of this post to discuss.

(To users of Adobe ColdFusion, my primary audience, note that Adobe licenses Oracle Java for our use of it with CF--but CF only. More on that in another blog post I discuss and link to below. Before going there, though, consider the next section on obtaining Java updates from Adobe.)

Obtaining the JVM update, from Adobe

The focus of my blog and work is mostly focused on those using Adobe ColdFusion (as well as Lucee and BoxLang, and all 3 run atop Java), I'll clarify especially for CF users that Adobe offers the Oracle Java downloads, such that one need not log into the Oracle site as discussed above.

See the CF Downloads page, and its last section offering Java installers, which includes the installers or zip/archive options, for each of Windows, Linux, and MacOS. Sometimes Adobe gets these downloads posted as soon as Oracle releases them, but often it may take some days before the latest update appears, in which case consider the Oracle links in the previous section. (Note that Adobe formally supports only the use of Oracle Java, not other OpenJDK implementations.)

As of my posting this today, the Adobe downloads page for CF-related installers does not yet have the downloads for this latest update. Watch that space for changesover time, or use the Oracle downloads approach I offer above.

And while some assert that CF folks "must use those from the CF downloads page", every time I've done a binary compare of the files, they have been identical to those offered on the Oracle site (at least for the identical build number, which may change slightly over time on the Oracle site though not the Adobe site). As this installer includes the Java license, I can't see how anyone could assert that it matters WHERE you get an identical installer. But IANAL. The choice is yours if you want the update ASAP and Adobe doesn't offer it yet.

Other topics you may be interested to know, and where I discuss them

Some readers may find the above so far to have been "a lot to consider" already, but there is indeed far more that you could and should consider before applying a Java update. And for a few years, I would cover such additional topics within this sort of blog post, each time I announced the new JVM update. But I've decided recently to split that off into its own blog entry, and I will point to that instead in each of these such JVM update announcement posts, in order to keep this relatively "brief".

In that other post, I address such issues as :

• Obtaining and learning still more about available JVM updates
• What about other JVM distributions besides Oracle?
• News for my CF audience (which CF versions support what JVM versions, how to apply the update--including when using Commandbox or Lucee, why CF users should NOT for now use Java 21 and up with CF, etc.)
• Should you apply the update? how soon?

Then I cover a few things that you should be aware of if skipping over previous JVM updates:

• Beware a change in the July 2023 JVM update, regarding Zip64ExtraFieldValidation
• Beware a change in the January 2023 JVM update, regarding a change in how the JDK installer works
• Beware a change in the October 2022 JVM update, regarding Java no longer trusting jars signed with SHA-1
• Beware a change in the April 2021 JVM update, regarding calls out to anything running TLS 1.1 or earlier

Again, that other post of mine with more info is here: Several things to consider when applying JVM updates.

Wrapping up, getting more help

I hope all that may be helpful for you.

Finally, feel free to ask questions or raise comments below, or for direct help note that I offer remote screenshare consulting help, where I am usually able to quickly fix problems (that might take many folks hours to resolve--if they don't deal with these issues daily like I do in helping people).

For more content like this from Charlie Arehart:

• Signup to get his blog posts by email:
• Follow his blog RSS feed
• View the rest of his blog posts
• View his blog posts on the Adobe CF portal

Need more help with problems?

• If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
• See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed