RLSA-2026:9693

The OpenJDK 25 packages provide the OpenJDK 25 Java Runtime Environment and the OpenJDK 25 Java Software Development Kit.

Security Fix(es):

• JDK: Enhance crypto algorithm support (CVE-2026-22007)

• JDK: Improved Arena allocations (CVE-2026-22008)

• JDK: Improve Kerberos credentialing (CVE-2026-22013)

• JDK: Enhance Path Factories Redux (CVE-2026-22016)

• JDK: Enhance Zip file reading (CVE-2026-22018)

• JDK: Enhance certificate chain validation (CVE-2026-22021)

• JDK: Updating FreeType 2.14.1 (CVE-2026-23865)

• JDK: Enhance TLS connection handling (CVE-2026-34282)

• JDK: Enhance key generation (CVE-2026-34268)

This release also updates a number of third-party libraries included in the JDK. The libraries themselves are affected by the following CVEs, but this is not a statement that the JDK itself is affected:

• giflib: Denial of Service via buffer overflow in EGifGCBToExtension (CVE-2026-26740)

• libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)

• libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)

Bug Fix(es):

• When copying files, OpenJDK 25 prefers to use the copyfilerange native function for performance reasons, only falling back to sendfile when this fails. However, in previous OpenJDK 25 releases, a response of EOPNOTSUPP (operation not supported) did not cause the JDK to fall back to sendfile. This is rectified in this release. (Rocky Linux-169939, Rocky Linux-169937)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.