25.08.0.0

Need help?

Schedule a consultation with an Azul performance expert.

25.08.0.0

Release date: September 8, 2025

This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 25.07.0.0 and corresponds to the following OpenJDK versions:

Major Version	OpenJDK Version
8	1.8.0_462-b8
11	11.0.28+6-LTS
17	17.0.16+8-LTS
21	21.0.8+9-LTS

What’s New

Zing 25.08.0.0 improves code speed with Falcon compiler optimization improvements for vectorization, escape analysis and loop unrolling.

Heuristics for committing and uncommitting Java heap (when Xms != Xmx) have been tuned to target 25-30% lower GC CPU usage.
Zing 25.08.0.0 enables BASE64 intrinsics on AVX2-capable hardware by default.

Zing 25.08.0.0 implements unified logging for JIT compilation and JIT inlining. Unified GC logging is supports the Falcon compiler, C1 compiler, and the legacy Dolphin compiler.

You can enable unified GC logging for JIT compilation using:
```
 -Xlog:jit+compilation=debug
```
For more information about Unified GC Logging, see our documentation on Unified GC Logging

Periodic logging in the steady phase has been disabled by default, by setting default value of -XX:SteadyPeriodForStatsSeconds to 0, in order to reduce the size of GC logs.

Zing 25.08.0.0 introduces two new command line options, both of which provide more information in GC logs:

Command-Line Option Description Default

Command-Line Option	Description	Default
`-XX:GCLogPrintWeakRefStats`	Enables logging of Reference.get() counters in standard GC log line format. This records to the GC log any time a Reference.get() call is made, as well as how many total refs were strengthened.	true
`-XX:PrintPSI`	Adds Pressure Stall Information (PSI) to the GC log along with other system metrics.	true

-XX:GCLogPrintWeakRefStats

Enables logging of Reference.get() counters in standard GC log line format. This records to the GC log any time a Reference.get() call is made, as well as how many total refs were strengthened.

true

-XX:PrintPSI

Adds Pressure Stall Information (PSI) to the GC log along with other system metrics.

true

The command line option, -XX:ValidateLicenseKey has been removed from the Zing product.
To print assembly of all sampled methods at exit with -XX:PrintHotMethodsAssemblyProfileAtExit, any negative integer should be used, instead of the former special keyword all.

July 2025 PSU release security fixes.

CVE fixes

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2025-50059	Networking	Multiple	Yes	8.6	Network	Low	None	None	Unchanged	High	None	None	21, 17, 11, 8	Note 1
CVE-2025-30761	Scripting	Multiple	Yes	5.9	Network	High	None	None	Unchanged	None	High	None	11, 8	Note 2
CVE-2025-30754	JSSE	TLS	Yes	4.8	Network	High	None	None	Unchanged	Low	Low	None	21, 17, 11, 8	Note 1
CVE-2025-30749 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	2D	Multiple	Yes	8.1	Network	High	None	None	Unchanged	High	High	High	None	Note 1
CVE-2025-50106 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	2D	Multiple	Yes	8.1	Network	High	None	None	Unchanged	High	High	High	None	Note 2
CVE-2025-23166 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM for JDK	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	None
CVE-2025-24855 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX (libxslt)	Multiple	Yes	7.5	Network	High	None	Required	Unchanged	High	High	High	None	Note 1
CVE-2025-27113 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX (libxml2)	Multiple	Yes	7.5	Network	High	None	Required	Unchanged	High	High	High	None	Note 1
CVE-2025-50063 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Install	None	No	7.3	Local	Low	Low	Required	Unchanged	High	High	High	None
CVE-2025-30752 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Compiler	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	None	Note 1
CVE-2025-50065 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM for JDK	HTTP	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	None

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2025-50059

Networking

Multiple

Yes

8.6

Network

Low

None

Unchanged

High

None

21, 17, 11, 8

Note 1

CVE-2025-30761

Scripting

Multiple

Yes

5.9

Network

High

None

Unchanged

None

High

None

11, 8

Note 2

CVE-2025-30754

JSSE

TLS

Yes

4.8

Network

High

None

Unchanged

Low

None

21, 17, 11, 8

Note 1

CVE-2025-30749 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Multiple

Yes

8.1

Network

High

None

Unchanged

High

None

Note 1

CVE-2025-50106 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Multiple

Yes

8.1

Network

High

None

Unchanged

High

None

Note 2

CVE-2025-23166 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

None

CVE-2025-24855 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (libxslt)

Multiple

Yes

7.5

Network

High

None

Required

Unchanged

High

None

Note 1

CVE-2025-27113 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (libxml2)

Multiple

Yes

7.5

Network

High

None

Required

Unchanged

High

None

Note 1

CVE-2025-50063 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Install

None

7.3

Local

Low

Required

Unchanged

High

None

CVE-2025-30752 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Compiler

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

Note 1

CVE-2025-50065 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK

HTTP

Yes

3.7

Network

High

None

Unchanged

None

Low

None

Notes:

ID	Notes
1	This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2	This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Notes

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Additional CVEs addressed are:

The patch for CVE-2025-24855 also addresses CVE-2024-55549.
The patch for CVE-2025-23166 also addresses CVE-2025-23165.
The patch for CVE-2025-27113 also addresses CVE-2024-40896, CVE-2024-56171, CVE-2025-24928, CVE-2025-32414, and CVE-2025-32415.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2025

Known Issues

Issue ID Description

Issue ID	Description
ZVM-36615	Cloud Native Compiler users may experience connection errors and longer than usual compile times.
ZVM-34474	Open JDK build number for JDK 8 is displayed incorrectly in `java -version` output.

ZVM-36615

Cloud Native Compiler users may experience connection errors and longer than usual compile times.

ZVM-34474

Open JDK build number for JDK 8 is displayed incorrectly in java -version output.

Resolved Issues

Issue ID	Description
ZVM-35714	Crashes or bad performance caused by wrong granularity of java heap commit on systems where the huge page size is not 2 MB.
ZVM-35554	Intermittent crash during memory allocation for code cache when nearing its limits.
ZVM-34996	Crash due to race between clearing card marks during object allocation and scanning of the card table.
ZVM-35698	Crash due to wrong shrinking of java heap size during allocation of forwarding table space.

Issue ID

Description

ZVM-35714

Crashes or bad performance caused by wrong granularity of java heap commit on systems where the huge page size is not 2 MB.

ZVM-35554

Intermittent crash during memory allocation for code cache when nearing its limits.

ZVM-34996

Crash due to race between clearing card marks during object allocation and scanning of the card table.

ZVM-35698

Crash due to wrong shrinking of java heap size during allocation of forwarding table space.