This week's Java roundup for June 1st, 2026, features news highlighting: JDK 27 in Rampdown Phase One; the formation of the JDK 28 Expert Group; the GlassFish Arquillian Connectors Suite for Jakarta EE TCKs; point releases for Infinispan and Kotlin; maintenance releases of GlassFish and Micronaut; and the June 2026 beta release of Open Liberty.
OpenJDK
After its extended review has concluded, JEP 538, PEM Encodings of Cryptographic Objects (Third Preview), has been elevated from Proposed to Target to Targeted for JDK 27. This JEP proposes a third preview after two rounds of preview delivered in JDK 25 and JDK 26. This feature offers "an API for encoding objects that represent cryptographic keys, certificates, and certificate revocation lists into the widely-used Privacy-Enhanced Mail (PEM) transport format, and for decoding from that format back into objects." This JEP will support conversions between PEM text and cryptographic objects in PKCS #8 and X.509 binary formats. Changes include: a reclassification of the PEM record class to a regular class as a convenience for providing constructors that accept Base64-encoded content in byte arrays; and a rename of the DEREncodable interface to BinaryEncodable to more accurately describe the binary data stored in PEM text.
JDK 27
Build 25 of the JDK 27 early-access builds was made available this past week featuring updates from Build 24 that include fixes for various issues. Further details on this release may be found in the release notes.
As per the JDK 27 release schedule, Iris Clark, OpenJDK Engineering Liaison at Oracle, formally declared that JDK 27 has entered Rampdown Phase One. This means that the main-line source repository has been forked to the JDK stabilization repository and no additional JEPs will be added for JDK 27. Therefore, the final set of nine features for the GA release in March 2026 will include:
- JEP 523: Make G1 the Default Garbage Collector in All Environments
- JEP 527: Post-Quantum Hybrid Key Exchange for TLS 1.3
- JEP 531: Lazy Constants (Third Preview)
- JEP 532: Primitive Types in Patterns, instanceof, and switch (Fifth Preview)
- JEP 533: Structured Concurrency (Seventh Preview)
- JEP 534: Compact Object Headers by Default
- JEP 536: JFR In-Process Data Redaction
- JEP 537: Vector API (Twelfth Incubator)
- JEP 538: PEM Encodings of Cryptographic Objects (Third Preview)
For JDK 27, developers are encouraged to report bugs via the Java Bug Database.
JEP 538 was originally finalized for JDK 27 after two rounds of preview, but due to last-minute feedback, it was decided to deliver a third preview.
JEP 528: Post-Mortem Crash Analysis with jcmd, was originally planned to be included in JDK 27, however, it was reverted back to Candidate status during its Proposed to Target phase.
JDK 28
JSR 403, Java SE 28, was approved this past week to formally announce the four-member expert group for JDK 28, namely Simon Ritter (Azul Systems), Iris Clark (Oracle), Stephan Herrmann (Eclipse Foundation) and Christoph Langer (SAP SE). Clark will serve as the specification lead. Notable dates at this time include a public review from December 2026 through February 2027 and the GA release in March 2027.
Build 0 and Build 1 of the JDK 28 early-access builds were also made available this past week featuring updates to resolve these initial issues. There are no release notes at this time.
More insights on OpenJDK and the JCP Expert Group may be found in this InfoQ podcast featuring Simon Ritter, Deputy CTO at Azul, published in December 2025.
GlassFish
The release of GlassFish 8.0.3 delivers bug fixes, documentation improvements, dependency upgrades and several optimizations for improved Embedded GlassFish startup that include: setting multiple properties in a single command; passing an instance of the ClassLoader class to asynchronous jobs; and prevention of brute-force authentication attacks on the Administration Console and REST API. More details on this release may be found in the release notes.
GlassFish Pool for Jakarta EE TCKs
OmniFish has announced that their upcoming release of GlassFish Arquillian Connectors Suite 2.2.0 now eliminates the traditional overhead of the Jakarta EE Technology Compatibility (TCK) such that TCK tests are completed in minutes rather than hours. This is accomplished by "sharing a pool of pre-started GlassFish instances across the entire reactor."
This updated version consists of the Arquillian Container GlassFish Pool and its corresponding Maven Plugin. The GlassFish pool implements an Arquillian DeployableContainer interface at runtime that leases a slot for the duration of a test JVM and deploys this against the leased slot's Domain Administration Server (DAS) via an instance of the CommonGlassFishManager class.
Micronaut
The Micronaut Foundation has released versions 5.0.2 and 5.0.1 of the Micronaut Framework (announced here and here, respectively), based on Micronaut Core 5.0.2 and Micronaut 5.0.1, featuring patch updates to modules: Micronaut Data; Micronaut for Spring; Micronaut LangChain4j; Micronaut GraphQL; and Micronaut JSON Schema.
These releases also address security advisories: GHSA-387m-935m-c4vw, a vulnerability that had the potential for infinite redirect loop leading to a denial-of-service attack due to the lack of a limit on HTTP redirections; and GHSA-q6gh-6v2r-hjv3, a vulnerability in which the DefaultHttpClient class was forwarding sensitive headers on cross-origin redirects.
There was also a dependency upgrade to Netty 4.2.15 that resolved numerous CVEs. Further details on these releases may be found in the release notes for version 5.0.1 and version 5.0.2.
Open Liberty
The beta release of Open Liberty 26.0.0.6 ships with a beta preview of an HTTP transport based on Netty that resolved a timeout issue due to an instance of the LibertyHttpObjectAggregator class creating a deadlock by blocking the pipeline while waiting for request body content. The client, on the other hand, was waiting for a response from HTTP Status Code 100, Continue, before sending the request body content.
Infinispan
The release of Infinispan 16.2.0, codenamed "Arctic Panzer Wolf," provides notable changes such as: an expansion of implemented commands in the Redis Serialization Protocol specification (RESP) that include BITFIELD, DELEX, COPY and DIGEST; new classes, BloomFilter, CuckooFilter, CountMinSketch, TopK and HyperLogLog that serve as implementations of probabilistic data structures in RESP; and a unified and simplified configuration of PEM certificates that auto-detects keystore types. More details on this release may be found in the release notes.
Kotlin
The release of Kotlin 2.4.0 delivers bug fixes, documentation improvements, dependency upgrades and new features such as: support for JDK 26 and annotations enabled by default in Kotlin/JVM; incremental compilation enabled by default and support for the WebAssembly Component Model in Kotlin/Wasm; and support for value class export and features defined in ES2015, AKA ECMAScript 6, in Kotlin/JavaScript. Further details on this release may be found in the release notes and this what's new page.