PHP 8.5.8 RC Fixes Memory Leaks, Opcache Crashes, and a Phar Security Bypass
The PHP development team just dropped the release candidate for version 8.5.8, and this one actually tackles some nasty edge cases that have been quietly breaking production environments. You will get a clear breakdown of what changed in Opcache, why the Phar directory protection needed a patch, and which extensions finally stopped leaking memory on initialization failures. Testing the PHP 8.5.8 RC build before the final release saves you from chasing down segmentation faults or silent data corruption later.
Core stability and Opcache tailcall fixes matter more than expected
The goto to label preceding a try finally block compile error has been sitting in the tracker long enough that developers probably stopped using goto altogether just to avoid it. That is fixed now, but the real win here is the NaN to bool string coercion assertion crash. This exact panic happens often enough that teams usually blame a bad driver update or a third party library passing malformed numeric strings through a legacy API. The Opcache changes are equally important for anyone running heavy applications. A tailcall vm interrupt bug and an unsafe inheritance cache replay with reentrant autoloading can easily turn a perfectly fine script into a segfault during peak traffic. Those two patches keep the opcode cache from corrupting variable types when typed by value returns wrap references, which means cached bytecode actually stays consistent across requests.
Why the PHP 8.5.8 RC Phar patch and memory fixes matter
The patch for the .phar directory protection in Phar addEmptyDir() closes a path traversal loophole that only triggered when paths started with /.phar. Security researchers love finding edge cases like this, and it is good to see the team lock it down before stable ships. Memory management gets cleaned up across several extensions too. GD finally stops double freeing after an overflow triggers an early return in gdImageSetStyle(), which prevents heap corruption during heavy image processing. Zip and Zlib both get memory leak fixes when deflate initialization fails or inflate_add() runs into trouble, so servers will stop slowly choking on abandoned handles during backup scripts or file upload spikes. BCMath also gets a round of fixes for oversized allocations and signed overflow in the rounding functions, which matters if financial calculations push past standard integer limits.
Date parsing, SOAP crashes, and URI error logging round out the release candidate
The DatePeriod createFromISO8601String() recurrence check was returning wrong intervals for certain calendar setups, which breaks cron jobs that rely on precise ISO formatting. SOAP gets two fixes that stop handle() from crashing when $_SERVER is not an array and force the server to accept raw input exactly as expected by older integrations. The URI extension finally cleans error logs before each wither call so validation errors do not bleed into subsequent requests, which saves hours of debugging when building dynamic URL builders. Reflection preserves class name case in getProperty() error messages now, making stack traces actually readable instead of throwing generic warnings that point developers in the wrong direction. Testing this RC on a staging server takes less than ten minutes and catches these exact issues before they hit production.
Release php-8.5.8RC1
Tag for php-8.5.8RC1
Grab the tarball, run the test suite, and report any weird behavior back to the bug tracker. The stable release will likely follow soon, but getting ahead of these patches now keeps the stack from breaking when everyone else upgrades at once. Happy debugging.
