Liberica JDK 11.0.30+9: Release Notes

Published: January 20, 2026

1. Version information

This document provides information about Liberica JDK 11.0.30 release. The full version string for this update release is 11.0.30+9. The version number is 11.

Liberica JDK 11 is distributed as .apk, .rpm, .zip, .deb, .pkg, and .tar.gz packages. Please select the most appropriate for your purposes.

2. What’s New

This release contains the following updates and new features.

Notable Changes

This is the list of the notable issues fixed in this release.

Issue ID

Issue ID
JDK-8245545	Summary: Disabled TLS_RSA cipher suites Description: The TLS_RSA cipher suites have been disabled by default, by adding 'TLS_RSA_' to the `jdk.tls.disabledAlgorithms` security property in the `java.security` configuration file. The TLS_RSA cipher suites do not preserve forward-secrecy and are not commonly used. Some TLS_RSA cipher suites are already disabled because they use DES, 3DES, RC4, or NULL, which are disabled. This action disables all remaining TLS_RSA cipher suites. Any attempts to use cipher suites starting with 'TLS_RSA_' will fail with an `SSLHandshakeException`. Users can, at their own risk, re-enable these cipher suites by removing 'TLS_RSA_' from the `jdk.tls.disabledAlgorithms` security property. The following previously enabled cipher suites are now disabled: TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA.
JDK-8313083	Summary: Print 'rss' and 'cache' As Part of the Container Information Description: The HotSpot runtime code has been updated to additionally print a container’s 'rss' and 'cache'. The additional output can be found in the JVM’s response to a 'jcmd [PID] VM.info' request and in the `hs_err` file generated in case of JVM abrupt termination. This will help monitoring and troubleshooting OutOfMemory situations as OOM killer can terminate a process if its `rss` + `cache` usage reaches the max memory limit of the container.
JDK-8337506	Summary: Disabled 'best-fit' Mapping on Windows Command Line Description: Command line arguments to the Java launcher are no longer converted with Windows 'best-fit' mapping when the arguments include unmappable characters for the ANSI code page. This mapping has been intervening in the Java launcher’s argument parsing. Unmappable characters are now replaced with the default replacement character, such as '?' in some cases. For rare cases, where applications need those unmappable characters on the command line, select UTF-8 in Windows Regional Settings.
JDK-8341964	Summary: Added a mechanism to Disable TLS Cipher Suites by Pattern Matching Description: TLS cipher suites can be disabled with the `jdk.tls.disabledAlgorithms` security property in the `java.security` configuration file using one or more wildcard characters. For example, 'TLS_RSA_' disables all cipher suites that start with 'TLS_RSA_'. Only cipher suites starting with 'TLS_' are allowed to have wildcard characters.

JDK-8245545

Summary: Disabled TLS_RSA cipher suites

Description: The TLS_RSA cipher suites have been disabled by default, by adding 'TLS_RSA_*' to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. The TLS_RSA cipher suites do not preserve forward-secrecy and are not commonly used. Some TLS_RSA cipher suites are already disabled because they use DES, 3DES, RC4, or NULL, which are disabled. This action disables all remaining TLS_RSA cipher suites. Any attempts to use cipher suites starting with 'TLS_RSA_' will fail with an SSLHandshakeException. Users can, at their own risk, re-enable these cipher suites by removing 'TLS_RSA_*' from the jdk.tls.disabledAlgorithms security property. The following previously enabled cipher suites are now disabled: TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA.

JDK-8313083

Summary: Print 'rss' and 'cache' As Part of the Container Information

Description: The HotSpot runtime code has been updated to additionally print a container’s 'rss' and 'cache'. The additional output can be found in the JVM’s response to a 'jcmd [PID] VM.info' request and in the hs_err file generated in case of JVM abrupt termination. This will help monitoring and troubleshooting OutOfMemory situations as OOM killer can terminate a process if its rss + cache usage reaches the max memory limit of the container.

JDK-8337506

Summary: Disabled 'best-fit' Mapping on Windows Command Line

Description: Command line arguments to the Java launcher are no longer converted with Windows 'best-fit' mapping when the arguments include unmappable characters for the ANSI code page. This mapping has been intervening in the Java launcher’s argument parsing. Unmappable characters are now replaced with the default replacement character, such as '?' in some cases. For rare cases, where applications need those unmappable characters on the command line, select UTF-8 in Windows Regional Settings.

JDK-8341964

Summary: Added a mechanism to Disable TLS Cipher Suites by Pattern Matching

Description: TLS cipher suites can be disabled with the jdk.tls.disabledAlgorithms security property in the java.security configuration file using one or more wildcard characters. For example, 'TLS_RSA_' disables all cipher suites that start with 'TLS_RSA_'. Only cipher suites starting with 'TLS_' are allowed to have wildcard characters.

Graal support in Liberica JDK 11

Liberica JDK continues to provide support for AOT and Graal JIT. Since in OpenJDK 11 builds these features are deemed experimental and deprecated, it is recommended to compile native executables with Liberica Native Image Kit to avoid errors.

IANA TZ Data version

This release of Liberica JDK 11.0.30 comes with the 2025b version of the in-tree copy of the IANA timezone database. The following are the key features of this version.

Future Timestamps

New Time Zone:

A new time zone, America/Coyhaique, is created for Chile’s Aysén Region, which will now observe UTC−03 year-round (no daylight saving time).

This diverges from America/Santiago starting March 20, 2025.
Aysén will not change clocks on April 5, 2025.
This aligns Aysén with Magallanes Region.

Past Timestamps

Iran Time Change Correction:

Iran changed from UTC+04 to UTC+03:30 on November 10, 1978, not at the end of the year as previously recorded.

Code Fixes

Improved behavior for the zic tool:

It no longer creates invalid symlinks when using -l with multiple arguments.
A buffer underflow issue is resolved.

For more information, see JDK-8352716.

3. Known Issues

This release does not contain any known issues.

4. Fixed CVEs

This is the list of the security issues fixed in this release. CVSS scores are provided using the CVSS version 3.1 scoring system.

CVE ID	CVSS score	Component	Module	Attack Vector	Complexity	Privileges	User Interaction	Scope	Confidentiality	Integrity	Availability
CVE-2025-43368	7.5	javafx	web	network	high	none	required	unchanged	high	high	high
CVE-2025-47219	3.1	javafx	media	network	high	none	required	unchanged	low	none	none
CVE-2025-6021	5.9	javafx	web	network	high	none	none	unchanged	none	none	high
CVE-2025-6052	3.7	javafx	media	network	high	none	none	unchanged	none	none	low
CVE-2025-7424	5.5	javafx	web	local	low	none	required	unchanged	none	none	high
CVE-2025-7425	7.5	javafx	web	network	high	none	required	unchanged	high	high	high
CVE-2026-21925	4.8	core-libs	java.rmi	network	high	none	none	unchanged	low	low	none
CVE-2026-21932	7.4	client-libs	java.awt	network	low	none	required	changed	none	high	none
CVE-2026-21933	6.1	core-libs	java.net	network	low	none	required	changed	low	low	none
CVE-2026-21945	7.5	security-libs	java.security	network	low	none	none	unchanged	none	none	high
CVE-2026-21947	3.1	javafx	web	network	high	none	required	unchanged	none	low	none

CVE ID

CVSS score

Component

Module

Attack Vector

Complexity

Privileges

User Interaction

Scope

Confidentiality

Integrity

Availability

CVE-2025-43368

7.5

javafx

web

network

high

none

required

unchanged

high

CVE-2025-47219

3.1

javafx

media

network

high

none

required

unchanged

low

none

CVE-2025-6021

5.9

javafx

web

network

high

none

unchanged

none

high

CVE-2025-6052

3.7

javafx

media

network

high

none

unchanged

none

low

CVE-2025-7424

5.5

javafx

web

local

low

none

required

unchanged

none

high

CVE-2025-7425

7.5

javafx

web

network

high

none

required

unchanged

high

CVE-2026-21925

4.8

core-libs

java.rmi

network

high

none

unchanged

low

none

CVE-2026-21932

7.4

client-libs

java.awt

network

low

none

required

changed

none

high

none

CVE-2026-21933

6.1

core-libs

java.net

network

low

none

required

changed

low

none

CVE-2026-21945

7.5

security-libs

java.security

network

low

none

unchanged

none

high

CVE-2026-21947

3.1

javafx

web

network

high

none

required

unchanged

none

low

none

5. Resolved Issues

JDK issues

This is the list of general JDK issues fixed in this release.

Issue ID	Summary
JDK-4895924	Strings in format #rgb not handled by Color.decode() (affects CSS / Swing)
JDK-8213781	web page background renders blue in JEditorPane
JDK-8224087	Compile C code for at least C99 Standard compliance
JDK-8245545	Disable TLS_RSA cipher suites
JDK-8257709	C1: Double assignment in InstructionPrinter::print_stack
JDK-8263622	The java.awt.color.ICC_Profile#setData invert the order of bytes for the "head" tag
JDK-8264524	jdk/internal/platform/docker/TestDockerMemoryMetrics.java fails due to swapping not working
JDK-8265429	Improve GCM encryption
JDK-8271456	Avoid looking up standard charsets in "java.desktop" module
JDK-8274893	Update java.desktop classes to use try-with-resources
JDK-8295301	Problem list TrayIcon tests that fail on Ubuntu 22.04
JDK-8299748	java/util/zip/Deinflate.java failing on s390x
JDK-8313083	Print 'rss' and 'cache' as part of the container information
JDK-8317970	Bump target macosx-x64 version to 11.00.00
JDK-8336451	[11u] GHA macos-13 and macos-15 builders are unable to resolve local hostname
JDK-8336854	CAInterop.java#actalisauthenticationrootca conflicted with /manual and /timeout
JDK-8337506	Disable "best-fit" mapping on Windows command line
JDK-8339280	jarsigner -verify performs cross-checking between CEN and LOC
JDK-8341496	Improve JMX connections
JDK-8341861	GHA: Use only retention mechanism to remove bundles
JDK-8341964	Add mechanism to disable different parts of TLS cipher suite
JDK-8347129	cpuset cgroups controller is required for no good reason
JDK-8347381	Upgrade jQuery UI to version 1.14.1
JDK-8347911	Limit the length of inflated text chunks
JDK-8350813	Rendering of bulky sound bank from MIDI sequence can cause OutOfMemoryError
JDK-8351933	Inaccurate masking of TC subfield decrement in ForkJoinPool
JDK-8353299	VerifyJarEntryName.java test fails
JDK-8354941	Build failure with glibc 2.42 due to uabs() name collision
JDK-8355528	Update HarfBuzz to 11.2.0
JDK-8357657	[11u] [windows] cannot stat '/jdk.crypto.ec/*': No such file or directory
JDK-8358004	Delete applications/scimark/Scimark.java test
JDK-8359402	Test CloseDescriptors.java should throw SkippedException when there is no lsof/sctp
JDK-8359501	Enhance Handling of URIs
JDK-8362308	Enhance Bitmap operations
JDK-8362632	Improve HttpServer Request handling
JDK-8364214	Enhance polygon data support
JDK-8364597	Replace THL A29 Limited with Tencent
JDK-8364660	ClassVerifier::ends_in_athrow() should be removed
JDK-8365058	Enhance CopyOnWriteArraySet
JDK-8365271	Improve Swing supports
JDK-8366125	[11u] Test compiler/loopopts/TestRangeCheckPredicatesControl.java fails OOM
JDK-8366359	Test should throw SkippedException when there is no lpstat
JDK-8366572	Bump update version of OpenJDK: 11.0.30
JDK-8367782	VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName
JDK-8368032	Enhance Certificate Checking
JDK-8368192	Test java/lang/ProcessBuilder/Basic.java#id0 fails with Exception: Stack trace
JDK-8368982	Test sun/security/tools/jarsigner/EC.java completed and timed out
JDK-8369226	GHA: Switch to MacOS 15
JDK-8372534	Update Libpng to 1.6.51

Issue ID

Summary

JDK-4895924

Strings in format #rgb not handled by Color.decode() (affects CSS / Swing)

JDK-8213781

web page background renders blue in JEditorPane

JDK-8224087

Compile C code for at least C99 Standard compliance

JDK-8245545

Disable TLS_RSA cipher suites

JDK-8257709

C1: Double assignment in InstructionPrinter::print_stack

JDK-8263622

The java.awt.color.ICC_Profile#setData invert the order of bytes for the "head" tag

JDK-8264524

jdk/internal/platform/docker/TestDockerMemoryMetrics.java fails due to swapping not working

JDK-8265429

Improve GCM encryption

JDK-8271456

Avoid looking up standard charsets in "java.desktop" module

JDK-8274893

Update java.desktop classes to use try-with-resources

JDK-8295301

Problem list TrayIcon tests that fail on Ubuntu 22.04

JDK-8299748

java/util/zip/Deinflate.java failing on s390x

JDK-8313083

Print 'rss' and 'cache' as part of the container information

JDK-8317970

Bump target macosx-x64 version to 11.00.00

JDK-8336451

[11u] GHA macos-13 and macos-15 builders are unable to resolve local hostname

JDK-8336854

CAInterop.java#actalisauthenticationrootca conflicted with /manual and /timeout

JDK-8337506

Disable "best-fit" mapping on Windows command line

JDK-8339280

jarsigner -verify performs cross-checking between CEN and LOC

JDK-8341496

Improve JMX connections

JDK-8341861

GHA: Use only retention mechanism to remove bundles

JDK-8341964

Add mechanism to disable different parts of TLS cipher suite

JDK-8347129

cpuset cgroups controller is required for no good reason

JDK-8347381

Upgrade jQuery UI to version 1.14.1

JDK-8347911

Limit the length of inflated text chunks

JDK-8350813

Rendering of bulky sound bank from MIDI sequence can cause OutOfMemoryError

JDK-8351933

Inaccurate masking of TC subfield decrement in ForkJoinPool

JDK-8353299

VerifyJarEntryName.java test fails

JDK-8354941

Build failure with glibc 2.42 due to uabs() name collision

JDK-8355528

Update HarfBuzz to 11.2.0

JDK-8357657

[11u] [windows] cannot stat '/jdk.crypto.ec/*': No such file or directory

JDK-8358004

Delete applications/scimark/Scimark.java test

JDK-8359402

Test CloseDescriptors.java should throw SkippedException when there is no lsof/sctp

JDK-8359501

Enhance Handling of URIs

JDK-8362308

Enhance Bitmap operations

JDK-8362632

Improve HttpServer Request handling

JDK-8364214

Enhance polygon data support

JDK-8364597

Replace THL A29 Limited with Tencent

JDK-8364660

ClassVerifier::ends_in_athrow() should be removed

JDK-8365058

Enhance CopyOnWriteArraySet

JDK-8365271

Improve Swing supports

JDK-8366125

[11u] Test compiler/loopopts/TestRangeCheckPredicatesControl.java fails OOM

JDK-8366359

Test should throw SkippedException when there is no lpstat

JDK-8366572

Bump update version of OpenJDK: 11.0.30

JDK-8367782

VerifyJarEntryName.java: Fix modifyJarEntryName to operate on bytes and re-introduce verifySignatureEntryName

JDK-8368032

Enhance Certificate Checking

JDK-8368192

Test java/lang/ProcessBuilder/Basic.java#id0 fails with Exception: Stack trace

JDK-8368982

Test sun/security/tools/jarsigner/EC.java completed and timed out

JDK-8369226

GHA: Switch to MacOS 15

JDK-8372534

Update Libpng to 1.6.51

JFX issues

This is the list of JFX issues fixed in this release.

Issue ID	Summary
JDK-8339335	set number of parallel jobs when building webkit
JDK-8339505	Enable parallel compilation of native code on macOS
JDK-8361648	Update Glib to 2.84.3
JDK-8361719	Enhance Handling of URI
JDK-8362535	Update libxslt support
JDK-8366217	Update GStreamer to 1.26.5
JDK-8367578	Additional WebKit 622.1 fixes from WebKitGTK 2.48.7
JDK-8368600	Missing "/DELAYLOAD:shlwapi.dll" in win.gradle
JDK-8368704	Better glyph handling
JDK-8370235	WebKit build fails on Windows 32-bit and Linux 32-bit after JDK-8367578

Issue ID

Summary

JDK-8339335

set number of parallel jobs when building webkit

JDK-8339505

Enable parallel compilation of native code on macOS

JDK-8361648

Update Glib to 2.84.3

JDK-8361719

Enhance Handling of URI

JDK-8362535

Update libxslt support

JDK-8366217

Update GStreamer to 1.26.5

JDK-8367578

Additional WebKit 622.1 fixes from WebKitGTK 2.48.7

JDK-8368600

Missing "/DELAYLOAD:shlwapi.dll" in win.gradle

JDK-8368704

Better glyph handling

JDK-8370235

WebKit build fails on Windows 32-bit and Linux 32-bit after JDK-8367578

6. Updates to Third Party Libraries

This is the list of changes in the third party libraries.

Library	Full name	New Version	Module	JBS number
Glib	GNU Glib	2.84.3	javafx.media	JDK-8361648
GStreamer	GStreamer	1.26.5	javafx.media	JDK-8366217
HarfBuzz	HarfBuzz	11.2.0	2d	JDK-8355528
jQuery	jQuery UI	1.14.1	javadoc	JDK-8347381
Libpng	Libpng	1.6.51	java.awt	JDK-8372534

Library

Full name

New Version

Module

JBS number

Glib

GNU Glib

2.84.3

javafx.media

JDK-8361648

GStreamer

1.26.5

javafx.media

JDK-8366217

HarfBuzz

11.2.0

JDK-8355528

jQuery

jQuery UI

1.14.1

javadoc

JDK-8347381

Libpng

1.6.51

java.awt

JDK-8372534

7. Upgrading to the New Version

To keep your Liberica JDK up-to-date and secure, always upgrade to the newest available version once it is released. To upgrade, install the new version over the previous one. For the installation instructions, see Liberica JDK Installation Guide.