This week’s Java roundup for January 19th, 2026, features news highlighting: JEP 527, Post-Quantum Hybrid Key Exchange for TLS 1.3, targeted for JDK 27; GlassFish Grizzly 5.0; the quarterly release of the Oracle Critical Patch Update (CPU) Advisory; the January 2026 edition of the Payara Platform; and maintenance releases of Liberica JDK, GraalVM, OpenXava and Ktor.
OpenJDK
JEP 527, Post-Quantum Hybrid Key Exchange for TLS 1.3, has been elevated from Proposed to Target to Targeted for JDK 27. This JEP proposes to enhance the implementation of RFC 8446, Transport Layer Security (TLS) Protocol Version 1.3, using the Hybrid Key Exchange in TLS 1.3 specification, currently being drafted by the Internet Engineering Task Force (IETF) in conjunction with JEP 496, Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism, delivered in JDK 24.
Oracle has released versions 25.0.2, 21.0.10, 17.0.18, 11.0.30 and 8u481 of the JDK as part of their quarterly Critical Patch Update Advisory for January 2026. Further details on this release may be found in the release notes for version 25.0.2, version 21.0.10, version 17.0.18, version 11.0.30 and version 8u481.
JDK 26
Build 32 of the JDK 26 early-access builds was made available this past week featuring updates from Build 31 that include fixes for various issues. More details on this release may be found in the release notes.
JDK 27
Build 6 of the JDK 27 early-access builds was also made available this past week featuring updates from Build 5 that include fixes for various issues. Further details on this release may be found in the release notes.
For JDK 26 and JDK 27, developers are encouraged to report bugs via the Java Bug Database.
GlassFish Grizzly
The GA release of GlassFish Grizzly 5.0.0, a framework designed to extend the capabilities of the Java NIO API, delivers notable changes such as: a JDK 21 baseline; support for virtual threads with a new VirtualThreadExecutorService class for use in the Grizzly thread pool; and support for the Jakarta Servlet 6.1 specification. More details on this release may be found in the release notes.
Jakarta EE
In his weekly Hashtag Jakarta EE blog, Ivar Grimstad, Jakarta EE Developer Advocate at the Eclipse Foundation, provided an update on Jakarta EE 12, writing:
Every major release of Jakarta EE has been given a theme, or a slogan characteristic for the release. For Jakarta EE 9, the keywords were “Lower Entry Barriers – Platform for Innovation – Easy Migration,” and for Jakarta EE 10, it was “Modernized – Simplified – Lightweight.” Jakarta EE 11 got the slogan “Developer Productivity and Performance.”
When we discussed what we should use for the upcoming Jakarta EE 12 release, the choice fell on “Robust and Flexible.” This is something that fits very well with Jakarta EE, regardless of which release we are talking about, but fits very well with Jakarta EE 12 since it is now even more robust than ever, being the fourth major release since the transfer to Eclipse Foundation.
The road to Jakarta EE 12 includes four milestone releases, the first of which was delivered in December 2025, with a planned GA release in July 2026.
BellSoft
Concurrent with Oracle’s Critical Patch Update (CPU) for January 2026, BellSoft has released CPU patches for versions 25.0.1.0.1, 21.0.9.0.1, 17.0.17.0.1, 11.0.29.0.1, 8u481 7u491 and 6u491 of Liberica JDK, their downstream distribution of OpenJDK, to address this list of CVEs. In addition, Patch Set Update (PSU) versions 25.0.2, 21.0.10, 17.0.18, 11.0.30 and 8u481, containing CPU and non-critical fixes, have also been released.
With an overall total of 1217 fixes and backports, BellSoft states they have participated in eliminating 21 issues in all releases.
GraalVM
Similarly, GraalVM 25.0.2, the second maintenance release also concurrent with Oracle’s CPU for January 2026, provides resolutions to notable issues such as: a memory leak with Translation-Lookaside Buffer (TLB) events in the JDK Flight Recorder; and a miscompilation with loop vectorization that produced incorrect results.
The team has also dropped support for macOS x64. This new release only supports macOS AArch64.
Further details on this release may be found in the release notes.
Spring Framework
It was a busy week over at Spring as the various teams have delivered the first milestone releases of: Spring Boot; Spring Security; Spring Integration; Spring Modulith; and Spring AMQP; along with the second milestone release of Spring AI. More details may be found in this InfoQ news story.
Payara
Payara has released their January 2026 edition of the Payara Platform that includes Community Edition 7.2026.1, Enterprise Edition 6.34.0 and Enterprise Edition 5.83.0. Along with bug fixes and component upgrades, all three editions focus on resolutions to two CVEs, namely: CVE-2020-5258, a vulnerability in Dojo that allows an attacker to inject properties into existing language construct prototypes in JavaScript and manipulate the attributes to overwrite, or pollute, a JavaScript application object prototype by injecting other values; and a vulnerability that allows an attacker to takeover the Payara admin account through a malicious URL payload. Further details on these releases may be found in the release notes for Community Edition 7.2026.1, Enterprise Edition 6.34.0 and Enterprise Edition 5.83.0.
OpenXava
The release of OpenXava 7.6.4 ships with bug fixes, documentation improvements, dependency upgrades and new features such as: improved startup time of embedded Apache Tomcat; and a new toString(Locale, Object) method, defined in the Strings class to join the other overloaded variants of toString(), to convert locale-aware strings. More details on this release may be found in the release notes.
JetBrains Ktor
The release of JetBrains Ktor 3.4.0 delivers bug fixes and new features such as: a new API, describe, that dynamically generates and documents OpenAPI endpoints in conjunction with a new compiler plugin; and a new ktor-server-compression-zstd module that supports the Zstd compression algorithm. Further details on this release may be found in the release notes.
