PHP 8.5.7 Release Candidate 1 targets the notoriously finicky Opcache tracing JIT by patching multiple segmentation faults that routinely crash production servers under load. The update also closes two security holes in the URI extension where pointer truncation and false path matching could break routing logic or expose memory vulnerabilities. Beyond the critical fixes, developers get corrected behavior for version comparisons, date overflow handling, custom XPath queries, and OpenSSL 4.0 compatibility. Testing this candidate on staging environments before the final release drops will save teams from unexpected downtime when the stable build finally ships.

PHP 8.5.7 Release Candidate 1 Fixes Critical JIT Crashes and URI Vulnerabilities

The first release candidate for PHP 8.5.7 just dropped, and this build focuses heavily on stabilizing the Opcache tracing JIT while patching a pair of security flaws in the URI extension. Server administrators and framework maintainers should test this version before pushing it into production environments that rely on heavy caching or custom XPath queries. The update addresses several crash conditions that have been causing unexpected downtime during high traffic spikes.

Opcache and JIT Stability Improvements for PHP 8.5.7

The tracing JIT has been a frequent source of segmentation faults and assertion failures since its introduction, and this release finally targets the exact conditions that trigger those crashes. Developers who enable opcache.jit_buffer_size will notice fixes for tailcall VM crashes when interrupts happen during helper functions. The build also resolves an issue where handling a VM interrupt inside an observed user function call would bring down the entire process. These patches matter because JIT compilation is supposed to speed up execution, not turn routine requests into core dumps. Testing this candidate on staging servers helps catch edge cases before the tracing engine breaks production workloads during peak hours.

Security Patches in URI Parsing and DOM Handling

Two CVEs tied to the uriparser library made it into this candidate, and both deserve immediate attention for anyone processing user input or handling external links. The first issue involves pointer difference truncation that could corrupt memory during complex URI operations. The second flaw misclassifies two different URIs as identical, which breaks routing logic in web applications that rely on strict path matching. A separate fix addresses a use-after-free vulnerability when custom XPath functions interact with the DOM extension. These kinds of memory safety bugs often slip through initial testing until an attacker or a malformed request triggers them, so applying this update early prevents exploitation attempts.

Standard Library and OpenSSL Compatibility Updates

Beyond the critical fixes, the release tidies up several edge cases that cause silent failures in everyday scripting tasks. The version_compare function now correctly handles strings ending with a dot, which stops false negatives when comparing package versions or framework releases. A date extension patch resolves an integer overflow in php_date_llabs that could corrupt timestamp calculations on systems handling large numeric values. CLI users also get a correction for getopt optional value parsing, which prevents argument misreads during automated deployment scripts. OpenSSL compatibility work ensures smooth operation with version 4.0 libraries without forcing developers to downgrade or maintain custom patches.

Release php-8.5.7RC1

Tag for php-8.5.7RC1

Release php-8.5.7RC1 · php/php-src

The release candidate stage is exactly where these kinds of fixes belong, giving framework teams and system administrators a chance to verify stability before the final build ships. Running php -v against this version on a test server will quickly reveal whether existing extensions or custom JIT configurations need adjustments. Keep an eye on the official changelog for any last minute tweaks before the stable release drops.