Software 44518 Published by

PHP 8.2.32 and 8.3.32 have been released to patch a critical memory corruption bug in openssl_encrypt when handling AES-WRAP-PAD encryption. Given that PHP still powers 70.8% of all websites with a known server-side language, the fix addresses a vulnerability that could cascade into crashes across a massive portion of the internet. While PHP 8.5 remains the current feature release and newer branches will miss this specific patch, all supported versions continue to receive monthly security updates from the active development team. Developers on 8.2 or 8.3 should update immediately via the official download page, while the broader ecosystem continues to stabilize around modern standards despite lingering legacy installations.





PHP 8.2.32 and 8.3.32 Released to Patch OpenSSL Memory Corruption Bug

PHP 8.2.32 and 8.3.32 are out, and they carry a fix for a nasty memory corruption bug in openssl_encrypt when used with AES-WRAP-PAD. If you are running either version, you will want to update.

Two more PHP version are out today, addressing a memory corruption bug in older legacy versions of PHP. The vulnerability, tracked as GH-22187, corrupts the zend_mm_heap allocator. PHP committer David Carlier handled the patch, and the team pushed both builds out alongside their routine monthly security cycle. AES-WRAP-PAD is a relatively obscure encryption scheme, mostly used for wrapping cryptographic keys, but when the underlying allocator trips over it, the corruption can cascade into crashes or worse.

Updating is the obvious move. If your stack is already on 8.4 or 8.5, this specific one misses you. You will still want to keep an eye on the patch cadence though. PHP ships fixes across every supported branch on a roughly monthly schedule, and the OpenSSL extension is about as widely used as it gets.

Phpel

The PHP Landscape in June 2026

Let's address the elephant in the room. Despite a decade of "PHP is dead" memes and plenty of developer Twitter taking, the language isn't going anywhere. According to W3Techs data from this month, PHP still backs 70.8% of all websites with a known server-side language. Facebook, Wikipedia, Baidu, VK, Nginx.org, and Archive.org all run on it. That is not a legacy footprint. That is the backbone of the public web.

The PHP team is actively maintaining four major versions right now. PHP 8.5 sits at 8.5.8 as of early Juny. PHP 8.4 and 8.3 are in active security maintenance, with 8.3.32 landing today. PHP 8.2 only receives security patches now, and its window slams shut at the end of December 2025. If you are still on 8.1 or older, you are officially on borrowed time.

PHP 8.5 dropped in late November 2025 with some genuinely useful additions. You get a <|> pipe operator for functional-style transforms, a #[\NoDiscard] attribute, explicit (void) casts, and the long-awaited URI extension. OPcache is now bundled by default, which should save new developers from a decade of stack overflow posts about missing extensions. Performance-wise, the TAILCALL VM cuts stack overhead on recursive patterns, though you will need Clang 19 or newer to actually trigger it.

The security posture has improved dramatically under current stewardship. Monthly patches, strict types, Psalm and PHPStan integration, and built-in password_hash() and random_int() have turned PHP into a reasonably secure runtime. And it is no longer "slow." OPcache warms up fast, the JIT handles compute-bound workloads, and PHP consistently beats Ruby, Python, and Node.js for traditional server-rendered requests at comparable complexity. The bottleneck is almost always your database, not the interpreter.

Legacy code is still a problem. Roughly 8% of PHP sites are running 5.x or 7.x. Those are security liabilities that will not magically vanish. The "PHP is dead" crowd will keep posting anyway, but the language's roadmap shows it is still actively evolving. Property hooks, URI normalization, and ongoing HTTP/3 support are on the table. It's a rather expensive proposition to rewrite millions of sites, though the hosting ecosystem keeps chugging along regardless.

Update to 8.2.32 and 8.3.32 if you are on those branches. Check your runtime with php -v, pull the patches from the official download page, and clear your OPcache if you are running a production stack. Head here to the official PHP announcement for full CVE details and migration notes.