Java 24 for business: Security upgrades that actually matter

Java 24 delivers 24 focused enhancements that make modern applications more secure, responsive, and easier to run without requiring a complete rewrite. Released on March 18, 2025, this update continues Java's predictable six-month release schedule and includes immediate access to production-ready builds across all major platforms.

What is Java 24

Java 24 represents the March 2025 feature release of the Java platform, developed through OpenJDK and distributed as the reference implementation of Java SE 24. As a non-LTS (Long-Term Support) release, it is designed to deliver practical improvements ahead of the next long-term support milestone expected in September 2025. The release balances developer productivity enhancements with performance optimizations, stability improvements, and security hardening that align with current enterprise requirements.

How it works

New features go through a structured development process called JEP (Java Enhancement Proposal), where they are tested and refined before release. Once features are stable, they are included in the official General Availability build, which is the same code that both OpenJDK and commercial vendors distribute. Java 24 followed a predictable timeline: development locked down in December 2024, moved through testing phases, and released on March 18, 2025. This consistent six-month schedule allows development teams to plan upgrades with confidence. Organizations can download production-ready versions for Linux, macOS, and Windows, then validate them in existing CI/CD pipelines before production deployment.

What is new for security

Java 24 introduces protection against future quantum computing threats by adding two new cryptographic algorithms: ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) for secure key exchange and ML-DSA (Module-Lattice-Based Digital Signature Algorithm) for digital signatures. These algorithms align with the NIST standards discussed in recent quantum computing developments and provide practical implementation options for developers today. The release also includes a new Key Derivation Function API that strengthens how cryptographic keys are generated and managed, particularly important for protecting long-lived data.

On the defensive side, Java 24 permanently disables the Security Manager, which is a legacy security feature that has been replaced by more effective modern controls. The platform now issues warnings when code uses dangerous memory-access methods in sun.misc.Unsafe , which have historically been a source of security vulnerabilities and unpredictable behavior. Java 24 also lays groundwork for restricting Java Native Interface (JNI) usage in future releases, since JNI can bypass Java's built-in security protections and create potential attack vectors.

Finally, the 32-bit x86 Windows port has been removed. While this may seem minor, older platforms represent a larger attack surface because they receive fewer security updates and are more difficult to monitor in modern security environments.

Performance and reliability

Java 24 introduces experimental improvements to garbage collection that help applications handle high volumes of requests more efficiently. Generational Shenandoah is a new garbage collector option designed to reduce response time delays, while Compact Object Headers decrease memory consumption, which is particularly valuable when applications create millions of small objects. Both features target high-throughput services where performance consistency directly impacts user experience.

The Z Garbage Collector (ZGC) has been simplified by removing its older non-generational mode, making it easier to configure and maintain while focusing on its most effective operational pattern. Meanwhile, the G1 garbage collector, which is Java's default option, received barrier expansion optimizations that improve stability when applications are under heavy load. These improvements help prevent performance degradation during peak traffic periods.

For compute-intensive workloads like data processing, financial calculations, or cryptographic operations, the Vector API continues advancing toward final release. This API enables applications to take advantage of modern CPU instructions that process multiple data points simultaneously, delivering better performance without requiring developers to rewrite their application logic.

Why leaders should care

Improved security defaults reduce operational risk while keeping development teams productive on a modern, supportable platform. Post-quantum cryptography options can be evaluated and piloted now for systems handling long-lived data or operating in regulated industries, all without disrupting existing production deployments. The predictable six-month release cadence allows technology roadmaps to absorb changes gradually rather than forcing costly, high-risk migration projects.

Risks and realities

Java 24 is a non-LTS release, meaning most organizations should validate it in representative workloads before broad deployment to minimize operational risk. Security Manager removal and 32-bit x86 deprecation may impact older monitoring agents, application servers, or legacy desktop applications if dependencies are not inventoried beforehand. Forthcoming restrictions on JNI usage and warnings around Unsafe methods require early engagement with software vendors and internal platform teams to ensure compatibility.

What to do now

1. Inventory and assess your Java footprint

   Start by conducting a security code review to map where Java runs across your infrastructure, which garbage collection modes are currently in use, and identifying any dependencies on Security Manager, JNI, or Unsafe methods. Document these findings to inform migration planning.

2. Evaluate post-quantum cryptography in test environments

   Test the new post-quantum algorithms (ML-KEM, ML-DSA) and the Key Derivation Function API in non-production environments, particularly for systems where data confidentiality requirements extend years into the future. Document performance characteristics and compatibility findings to inform production decisions.

3. Benchmark experimental features under realistic load

   Test experimental features like Generational Shenandoah or ZGC configuration changes under realistic load conditions. Compare latency and throughput metrics against current baselines to quantify improvements or regressions.

4. Coordinate vendor support timelines

   Engage with Java distribution vendors regarding Java 24 support timelines and quarterly update schedules (such as 24.0.2) to ensure access to security patches and bug fixes.

Pressing questions

• Is Java 24 LTS?

  No, Java 24 is a non-LTS feature release following the six-month release cycle. It is intended for incremental adoption and evaluation before the next long-term support version arrives in September 2025.

• Where do the biggest security changes show up?

  The most significant security changes include post-quantum cryptography algorithms (ML-KEM and ML-DSA), the new Key Derivation Function API, permanent Security Manager disablement, warnings on Unsafe memory-access methods, and preparation for future JNI restrictions.

• Will this break existing applications?

  Most applications will run without modification. However, legacy components or monitoring agents that rely on Security Manager, 32-bit x86 Windows support, direct JNI calls, or Unsafe methods should be assessed early to identify potential compatibility issues.

• How soon should organizations move?

  Organizations should begin with focused pilot programs to evaluate performance improvements and security enhancements in their specific environment. This approach captures early benefits while reducing risk and preparing infrastructure for the next LTS release.

• How do teams get Java 24?

  Development and testing teams can use OpenJDK General Availability builds for initial evaluation. For managed production deployments, standardized vendor builds from commercial Java distributors provide the support and update guarantees most enterprises require.

Key takeaways

Java 24 packages security hardening, quantum-resistant cryptography, and runtime performance improvements into the March 2025 feature release. Organizations that pilot these capabilities now can reduce future risk while unlocking measurable performance and security gains ahead of the next long-term support release .