PHP 8.5.3 and PHP 8.4.18 have been released with bug fixes for issues such as garbage collector leaks, null dereferences, and memory leaks. The two versions share most core patches, but PHP 8.5.3 adds extra safeguards for systems using JIT-enabled Opcache and prevents internal enums from being cloned or compared in certain ways. Both versions update Timelib to version 2022.16 and fix various issues with the DOM class, multibyte strings, and OpenSSL. Sites plagued by crashes may benefit from upgrading to PHP 8.5.3, while those already stable on 8.4.18 may only need to upgrade for the extra safeguards in 8.5.3.
PHP 8.5.3 and PHP 8.4.18 Release Notes: What’s Fixed and Whether to Upgrade
The two latest point releases, PHP 8.5.3 and PHP 8.4.18, arrive with an almost identical core of bug fixes but a handful of extra patches that only the newer version gets. This rundown shows which problems disappear in each build and helps decide if the upgrade path is worth the hassle.
Core stability differences
Both versions seal the same leak in the garbage collector that could spin forever when a fiber’s destructor runs, so long‑running scripts won’t get stuck on cleanup. They also share the fix for the ob_start() null dereference that used to crash shutdown functions—something many have seen after a driver update that broke output buffering. PHP 8.5.3 adds two fresh core patches: compatibility with the LTO preserve_none feature on macOS, and a correction that prevents internal enums from being cloned or compared in ways that trigger assertions. Those extra safeguards make 8.5.3 marginally more robust on systems that use JIT‑enabled Opcache.
Date handling
Timelib moves to version 2022.16 in both releases, so timezone tables and leap‑second data stay current without any user intervention.
DOM quirks
The HTMLDocument class finally respects closing tags inside <script> blocks. Projects that generated malformed markup with Dom\HTMLDocument should see the issue vanish after updating to either release.
Multibyte string reliability
Both builds close the divide‑by‑zero bug in mb_str_pad() when an invalid padding string is supplied, and they stop stack overflows caused by recursive array references in mb_convert_variables. If legacy code once hit a fatal error while converting deep structures, that pain point is gone.
Opcache and JIT
A tracing JIT segfault involving object references has been fixed in both releases. PHP 8.5.3 also adds a patch for a specific preserve_none/LTO interaction on macOS that could break compilation; the older 8.4.18 doesn’t need it.
OpenSSL robustness
Memory leaks and crashes triggered by failures inside openssl_x509_parse()—including problems with ASN1 integer conversion and name formatting—are patched across the board, keeping TLS‑heavy applications from silently leaking resources.
Miscellaneous extensions
PHAR builders no longer choke on missing base directories, PostgreSQL identifier escaping is now safe from undefined behavior, readline settings overrides stop leaking memory, and SPL’s doubly linked list iterator survives modifications during iteration. Finally, var_dump() can safely walk nested objects without blowing up, and lchown() works on symlinks even in ZTS builds.
Bottom line
If a site has been plagued by any of the listed crashes—especially the shutdown‑function null dereference or the fiber GC loop—moving to PHP 8.5.3 will clean up those rough edges while still giving everything that 8.4.18 already fixed. For environments that are already stable on 8.4.18, the extra LTO and enum safeguards in 8.5.3 might be the only reason to bother.
Release php-8.4.18
Tag for php-8.4.18
Release php-8.5.3
Tag for php-8.5.3
