26.02.0.0

Need help?

Schedule a consultation with an Azul performance expert.

26.02.0.0

Release date: March 30, 2026

This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 26.01.0.0 and corresponds to the following OpenJDK versions:

Major Version	OpenJDK Version
8	1.8.0_482-b4
11	11.0.30+7-LTS
17	17.0.18+8-LTS
21	21.0.10+7-LTS
25	25.0.2+10-LTS

What’s New

Zing 26.02.0.0 includes the General Availability (GA) release of JDK 25.

OpenJDK 25 is a Long-Term Supported (LTS) release. This new OpenJDK version includes several thousand general bug and performance fixes over Java 21 as well as 12 distinct new features.

JDK 25 utilizes a new lightweight locking scheme which has been incorporated into Zing and is enabled by default for JDK 25. To use the legacy Zing locking scheme in JDK 25, you can use the command line option -XX:LockingMode=1. The legacy locking scheme, -XX:LockingMode=1, remains the default for JDK 8, 11, 17 and 21.

You can check out the community podcast where you can learn more about JDK 25 and the evolution process of the OpenJDK project, and check out the official JDK page for a list of everything new in JDK 25.

OpenSSL has been removed from Zing and must be installed separately if you wish to continue using SSL in your project. If you are using Cloud Native Compiler (CNC), you must install an SSL library. We recommend adding an OpenSSL implementation to your Maven dependencies such as Netty or Conscrypt.

Zing 26.02.0.0 implements a new system for CNC local fallback which evaluates productivity of the remote compiler in order to make a decision to trigger local fallback or not. While this new logic replaces the previous local fallback system, all mechanisms for local fallback remain intact. You can disable the new local fallback system using -XX:-CNCLocalFallbackProductivityBasedTriggering.

There are several options available for modifying the behavior of the new local fallback system:

Command-Line Option Description Default

Command-Line Option	Description	Default
`-XX:CNCProductivityLocalCompilationRatePerCompilerThread`	The number of compilations per second that a local compiler thread should be able to deliver when deciding to trigger local fallback.	5 - Derived from `FalconOptimizationLevel` and `CNCLocalFallbackOptLevelLimit`.
`-XX:CNCProductivityMinEvaluationWindowSeconds`	The minimum time window, in seconds, for productivity evaluation.	5
`-XX:CNCProductivityMinOutstandingCompilesForEvaluation`	The number of outstanding compile requests on the server before justifying local fallback.	100

-XX:CNCProductivityLocalCompilationRatePerCompilerThread

The number of compilations per second that a local compiler thread should be able to deliver when deciding to trigger local fallback.

5 - Derived from FalconOptimizationLevel and CNCLocalFallbackOptLevelLimit.

-XX:CNCProductivityMinEvaluationWindowSeconds

The minimum time window, in seconds, for productivity evaluation.

-XX:CNCProductivityMinOutstandingCompilesForEvaluation

The number of outstanding compile requests on the server before justifying local fallback.

100

Zing 26.02.0.0 introduces several flags which can be used to disable various parts of first call instrumentation:

Command-Line Option Description Default

Command-Line Option	Description	Default
`-XX:InstrumentFirstCallInterpreter`	Enables first call instrumentation of interpreter.	true
`-XXInstrumentFirstCallOfCompiledMethod`	Enables first call instrumentation of compiled methods.	true
`-XX:InstrumentFirstCallOfOSRMethod`	Enables first call instrumentation of OSR compiled methods	true

-XX:InstrumentFirstCallInterpreter

Enables first call instrumentation of interpreter.

true

-XXInstrumentFirstCallOfCompiledMethod

Enables first call instrumentation of compiled methods.

true

-XX:InstrumentFirstCallOfOSRMethod

Enables first call instrumentation of OSR compiled methods

true

January 2026 PSU release security fixes.

CVE fixes

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2026-21945	Security	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	25, 21, 17, 11, 8	Note 1
CVE-2026-21932	AWT, JavaFX	Multiple	Yes	7.4	Network	Low	None	Required	Changed	None	High	None	25, 21, 17, 11	Note 1
CVE-2026-21933	Networking	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	25, 21, 17, 11, 8	Note 2
CVE-2026-21925	RMI	Multiple	Yes	4.8	Network	High	None	None	Unchanged	Low	Low	None	25, 21, 17, 11, 8	Note 2
CVE-2025-43368 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX (WebKitGTK)	Multiple	Yes	7.5	Network	High	None	Required	Unchanged	High	High	High	None	Note 1
CVE-2025-7425 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX (libxslt)	Multiple	Yes	7.5	Network	High	None	Required	Unchanged	High	High	High	None	Note 1
CVE-2025-6021 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX (libxml2)	Multiple	Yes	5.9	Network	High	None	None	Unchanged	None	None	High	None	Note 1
CVE-2025-12183 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Mission Control (lz4-java)	Multiple	Yes	5.4	Network	Low	None	Required	Unchanged	Low	None	Low	None	Note 3
CVE-2025-6052 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX (glibc)	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	None	Note 1
CVE-2025-47219 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX (gstreamer)	Multiple	Yes	3.1	Network	High	None	Required	Unchanged	Low	None	None	None	Note 2
CVE-2026-21947 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX	Multiple	Yes	3.1	Network	High	None	Required	Unchanged	None	Low	None	None	Note 1

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2026-21945

Security

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

25, 21, 17, 11, 8

Note 1

CVE-2026-21932

AWT, JavaFX

Multiple

Yes

7.4

Network

Low

None

Required

Changed

None

High

None

25, 21, 17, 11

Note 1

CVE-2026-21933

Networking

Multiple

Yes

6.1

Network

Low

None

Required

Changed

Low

None

25, 21, 17, 11, 8

Note 2

CVE-2026-21925

RMI

Multiple

Yes

4.8

Network

High

None

Unchanged

Low

None

25, 21, 17, 11, 8

Note 2

CVE-2025-43368 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (WebKitGTK)

Multiple

Yes

7.5

Network

High

None

Required

Unchanged

High

None

Note 1

CVE-2025-7425 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (libxslt)

Multiple

Yes

7.5

Network

High

None

Required

Unchanged

High

None

Note 1

CVE-2025-6021 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (libxml2)

Multiple

Yes

5.9

Network

High

None

Unchanged

None

High

None

Note 1

CVE-2025-12183 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Mission Control (lz4-java)

Multiple

Yes

5.4

Network

Low

None

Required

Unchanged

Low

None

Low

None

Note 3

CVE-2025-6052 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (glibc)

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

Note 1

CVE-2025-47219 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (gstreamer)

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

Low

None

Note 2

CVE-2026-21947 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

Note 1

Notes:

ID	Notes
1	This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2	This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
3	Azul Mission Control 9.1.1 is affected and is being updated and released separately

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2026

Known Issues

There are no new issues to report in this release.

Resolved Issues

Issue ID Description

Issue ID	Description
ZVM-34474	Open JDK build number for JDK 8 is displayed incorrectly in `java -version` output.
ZVM-37641	MXBean `getTotalOutstandingCompiles` can show a higher count when Cloud Native Compiler (CNC) uses local fallback.
ZVM-38081	Cloud Native Compiler (CNC) experiences slowdown with aggressive telemetry collection, i.e. when `-XX:TelementryCollectorPeriodMs` is set to 1.

ZVM-34474

Open JDK build number for JDK 8 is displayed incorrectly in java -version output.

ZVM-37641

MXBean getTotalOutstandingCompiles can show a higher count when Cloud Native Compiler (CNC) uses local fallback.

ZVM-38081

Cloud Native Compiler (CNC) experiences slowdown with aggressive telemetry collection, i.e. when -XX:TelementryCollectorPeriodMs is set to 1.