Local fallback based on productivity can trigger later than expected, affecting productivity.
26.04.0.0
26.04.0.0
Release date: May 8, 2026
This CPU release is based on the Azul Zing Build of OpenJDK (Zing) 26.01.0.0 and corresponds to the following OpenJDK versions:
| Major Version | OpenJDK Version |
|---|---|
8 |
1.8.0_491-b2 |
11 |
11.0.30.0.101+1-LTS |
17 |
17.0.18.0.101+1-LTS |
21 |
21.0.10.0.101+1-LTS |
25 |
25.0.2.0.101+1-LTS |
What’s New
-
The default value for the command line option
-XX:ProfileLogOutMaxNominatedGenerationCounthas changed from 0 (infinite) to 4. This sets the third generation of a ReadyNow profile, when using Cloud Native Compiler, as the maximum profile level that the VM nominates.For more information about ReadyNow profiles and profile nomination, see Understanding ReadyNow Orchestrator Generations
CVE fixes
| CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
JAXP |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
High |
None |
None |
25, 21, 17, 11, 8 |
Note 2 |
|
Networking |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
25, 21, 17, 11 |
Note 2 |
|
JGSS |
Multiple |
Yes |
5.3 |
Network |
High |
None |
Required |
Unchanged |
High |
None |
None |
25, 21, 17, 11, 8 |
Note 1 |
|
JSSE |
HTTPS |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
25, 21, 17, 11, 8 |
Note 2 |
|
2D (FreeType) |
None |
No |
5.3 |
Local |
Low |
None |
Required |
Unchanged |
Low |
Low |
Low |
25, 21, 17, 11, 8 |
Note 2 |
|
Libraries |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
25 |
Note 1 |
|
Libraries |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
25, 21, 17, 11, 8 |
Note 2 |
|
Security |
None |
No |
2.9 |
Local |
High |
None |
None |
Unchanged |
Low |
None |
None |
25, 21, 17, 11, 8 |
Note 2 |
|
Security |
None |
No |
2.9 |
Local |
High |
None |
None |
Unchanged |
Low |
None |
None |
25, 21, 17, 11, 8 |
Note 2 |
|
CVE-2026-20652 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (WebKitGTK) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
Note 1, Note 3 |
CVE-2026-22003 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
None |
No |
6.0 |
Local |
High |
Low |
Required |
Unchanged |
None |
High |
High |
None |
Note 1 |
Notes:
| ID | Notes |
|---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
3 |
The patch for CVE-2026-20652 also addresses CVE-2025-43457, CVE-2026-20608, CVE-2026-20635, CVE-2026-20636, CVE-2026-20644, and CVE-2026-20676. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for April 2026