Every three months, a new Java security release drops. This week, it happened again. And every three months, many Java deployments around the world simply don’t get updated.
The April 2026 Quarterly Update
Azul just published the April 2026 Quarterly Update for Azul Zulu Builds of OpenJDK. This release covers Java versions 6, 7, 8, 11, 17, 21, 25, and 26, which is more than any other OpenJDK distributor.
The update ships in two flavors:
- CPU (Critical Patch Update) releases contain only security fixes, which keeps the risk of change small.
- PSU (Patch Set Update) releases add non-security bug fixes on top.
This release fixes 10 CVEs applicable to Azul Zulu:
| CVE | Component | Base Score | Versions Affected |
| CVE-2026-22016 | JAXP | 7.5 | 6, 7, 8, 11, 17, 21, 25, 26 |
| CVE-2026-34282 | Networking | 7.5 | 11, 17, 21, 25, 26 |
| CVE-2026-20652 | JavaFX (WebKitGTK) | 7.5 | 8, 11, 17, 21, 25, 26 |
| CVE-2026-22013 | JGSS | 5.3 | 6, 7, 8, 11, 17, 21, 25, 26 |
| CVE-2026-22021 | JSSE | 5.3 | 6, 7, 8, 11, 17, 21, 25, 26 |
| CVE-2026-23865 | 2D (FreeType) | 5.3 | 6, 7, 8, 11, 17, 21, 25, 26 |
| CVE-2026-22018 | Libraries | 3.7 | 7, 8, 11, 17, 21, 25, 26 |
| CVE-2026-22008 | Libraries | 3.7 | 25, 26 |
| CVE-2026-22007 | Security | 2.9 | 6, 7, 8, 11, 17, 21, 25, 26 |
| CVE-2026-34268 | Security | 2.9 | 6, 7, 8, 11, 17, 21, 25, 26 |
Three of those score 7.5, are remotely exploitable without authentication, and hit almost every supported Java version. CVE-2026-22016 is in JAXP. CVE-2026-34282 is in Networking. Both can be triggered through a web service that supplies data to the relevant APIs.
Beyond the CVEs, the release also includes six non-CVE security fixes covering certificate processing, ZIP file handling, image rendering (libPNG and FreeType), and affine transformations.
This is not a small update.
AI Is Changing How Vulnerabilities Get Found
The security landscape has changed, and running an unpatched Java runtime carries more risk than it did a year ago.
Earlier this year, Anthropic published results showing that Claude Opus 4.6 found more than 500 previously unknown high-severity vulnerabilities in major open-source projects, including Ghostscript, OpenSC, and CGIF. Some of those bugs had been hiding in well-tested codebases for years, even decades, surviving fuzz testing that had accumulated millions of CPU hours. The model found them by reasoning about code the way a human researcher would, not by throwing random inputs at it.
Then Anthropic announced Claude Mythos Preview, a model Anthropic considered capable enough at vulnerability discovery and exploitation that they restricted its release. The UK AI Security Institute evaluated it and found it could complete a 32-step simulated corporate network attack from initial reconnaissance to full takeover in 3 out of 10 attempts.
No panic needed. These models are being used by defenders too, and Anthropic has built safeguards into both Mythos Preview and the recently released Opus 4.7. But the fundamental shift is real: the time between a vulnerability being discovered and being exploited is compressing. Attackers have fewer obstacles than they did a year ago.
The practical consequence is simple. The longer you run an unpatched runtime, the more exposure you carry.
What You Should Actually Do
Start with the basics.
Find out which Java versions are running in your production environment. Not which version your developers use locally, not the version in your build process, but the version actually serving traffic.
Check those versions against the Azul CVE History Tool. It will tell you which known vulnerabilities affect your specific Java runtime version. If you are running something from before this week’s update, you are carrying at least some of the ten CVEs listed above.
Then update. The CPU build, available to Azul customers, is the low-risk path: security fixes only, no other changes. Azul tests and certifies these builds. From experience, we know that most updates take less time than teams expect, see the 2026 State of Java Survey & Report.
If you are on a Java version that no longer receives public updates, you should factor that into your decision. Java 6, 7, 8, and 11 are past their OpenJDK end-of-life dates but are still in active use across many organizations. Azul continues to provide security patches for those versions through its commercial support (see the Support Roadmap), but you need to be on a current patch level to get them.
What Commercial Java Support Actually Means
The quarterly release cadence works well for planned patches. But zero-days don’t follow a schedule. When something critical surfaces, you need a vendor who can ship a fix outside the normal cycle and get it to you quickly.
That is what commercial Java support actually means. Not just access to builds, but someone with the engineering resources and infrastructure to act fast when the timeline is tight.
Azul does this for Zulu SA customers, including backporting fixes for older LTS versions that OpenJDK no longer actively maintains.
A Few Other Things in the April Release
The security fixes are the main story, but there is more worth knowing.
- Trusted Java Containers: Azul Zulu OpenJDK Joins Docker’s Official Images
- The Road to Docker Official Images for Java: The Azul Zulu Story
- Using the Azul Zulu Docker Official Images: From Simple Pull to Lean Container
CRaC now uses Warp as its default engine across all supported platforms. If you are using CRaC for faster startup, this is a good upgrade.
JavaFX support has been added for 64-bit ARM-based Windows 11 on Java 21, which matters for developers building client applications on Qualcomm-based laptops. Fedora 43 is also now supported.
The timezone data has been updated to IANA 2026a.
Conclusion
Ten CVEs fixed in Azul Zulu. Three score 7.5 with remote exploitability. AI models are now capable of finding and chaining vulnerabilities in ways that weren’t possible a year ago.
Unpatched runtimes pose a greater risk than they used to.
Update your Java runtime. Check your versions. If you need help with that process, or want the kind of support that covers urgent patches between quarterly cycles, reach out to Azul.
The release notes are available here. Our documentation also provides a CVE Search Tool and CVE History Tool.
