PHP 8.4.20 Release Fixes Critical JIT Compiler and Memory Issues
System administrators running PHP 8.4 will want to check if their servers are vulnerable to silent arithmetic errors or memory corruption after this patch arrives. The update addresses dangerous bugs in the Opcache JIT compiler that could cause wrong calculation results alongside memory leaks in several extensions including FFI and Sysvshm. Web developers working with XML parsing or image handling will also find fixes for malformed attribute handling and AVIF file detection issues.
Production servers using opcache JIT need this update immediately
The most serious problems in this patch involve the Opcache Just In Time compiler producing incorrect arithmetic results under specific conditions. Teams enabling opcache.jit for performance gains may have been silently calculating wrong values without any visible error messages, a particularly nasty bug since it affects mathematical operations that appear to work normally while returning bad data. Additional JIT issues include infinite loops triggered when fetching object properties in polymorphic contexts and use-after-free vulnerabilities that could crash PHP processes during high traffic periods.
Memory corruption and undefined behavior get patched across multiple extensions
Several fixes address memory leaks and undefined behavior that typically manifest as random crashes or degraded performance over time. The FFI extension has been corrected to properly release resources when symbol resolution fails, preventing gradual memory exhaustion in applications using foreign function interfaces. Shared memory operations through Sysvshm now handle corrupted variables without leaking memory while SNMP security functions no longer exhibit undefined behavior with NULL arguments.
Web developers get XML and image handling corrections
The DOM HTMLDocument parser has been fixed to stop mangling xml:space and xml:lang attributes during parsing, which matters for applications preserving whitespace or language metadata in generated documents. Image processing code can now correctly identify some AVIF images that were previously rejected by getimagesize while the GD extension properly reports libJPEG 10.0 support status. XSLT processing no longer fails when using Dom\XMLDocument objects instead of DOMDocument, fixing a compatibility issue for migration projects moving between legacy and modern PHP APIs.
Deployment strategy depends on your opcache configuration
Anyone running PHP with JIT enabled should prioritize this update to prevent data corruption in calculations while those using shared memory or FFI extensions benefit from leak fixes that improve long-running process stability. The OpenSSL changes skip validation for elliptic curve keys where the previous check was incorrect, which affects applications generating certificates programmatically. Standard output buffer handling now asserts properly instead of allowing undefined behavior when buffers are misconfigured, helping developers catch bugs during development rather than in production.
Check your opcache configuration before deploying since the JIT fixes may change performance characteristics slightly while ensuring correctness takes priority over micro-optimizations.
Release php-8.4.20
Tag for php-8.4.20
