Software 44560 Published by

PHP just shipped simultaneous release candidates for the 8.5 and 8.4 branches. Right on schedule. The 8.5.9 RC1 build goes straight for JIT stability and security hardening, patching critical tracing bugs, readonly property mutations, and four PDO_ODBC buffer overflows in one go. PHP 8.4.24 RC1 inherits most of these fixes under the project’s parallel maintenance model, with a couple of targeted patches for base64 encoding and getimagesize() integer overflows.



PHP drops simultaneous release candidates for 8.5 and 8.4 lines

The PHP development team just shipped two new release candidates, PHP 8.5.9 RC1 and PHP 8.4.24 RC1. They arrive barely a day after the 8.6.0 Alpha 2 preview, keeping the project’s relentless bug-fixing momentum rolling without skipping a beat.

Volker Dusch and Saki Takamachi tagged the builds respectively. Both are pre-release candidates meant for community testing before the final stable releases hit the mirrors. The focus here is tight. Correctness. Security hardening. JIT stability. If you run PHP in production, you already know the Tracing JIT can be a double-edged sword when it misbehaves.

Phpel

What changed under the hood

PHP 8.5.9 RC1 takes the heat for these patches. It builds directly on the 8.5 development line and addresses a cluster of critical JIT bugs that have kept engineers up at night. One fix stops the tracing JIT from dispatching observer handlers through the wrong cache slot on megamorphic calls. Another patches a SIGSEGV that crashes the engine when dynamic calls hit an undereferenced cache map offset.

PHP 8.5 also gets readonly property hardening. The engine now properly locks unmodified properties after a clone-with operation, which stops post-clone mutation dead in its tracks. PDO_ODBC receives a major security bump with four buffer overflow fixes tied to column display sizes and error diagnostics. A heap buffer over-read that could have let malicious input spill past declared bounds finally gets locked down.

The DOM module stops blowing its stack when serializing deeply nested XML documents. The timelib update rolls in date parsing improvements and fixes a long-standing issue with Unix timestamps in year zero. Standard library functions get their act together too. base_convert() no longer truncates output at 64 characters. array_multisort() stops throwing use-after-free errors when your comparator mutates the array mid-flight.

What the 8.4 branch gets

PHP 8.4.24 RC1 inherits most of these patches. The PHP project’s parallel fix process means both maintenance lines get the same security and stability treatments. The 8.4 branch remains the current stable release line, meaning it will keep receiving security updates until at least November 2027. You won’t find many exclusive patches here, but there are a couple of targeted fixes. One addresses base64 encoding corruption during incremental flushes. Another patches an integer overflow when getimagesize() parses oversized IFF chunks.

It’s a fair chunk of patches for a minor version bump, but that’s how PHP operates when the engine needs recalibration. The JIT fixes alone will be worth the update for anyone running high-traffic applications that rely on runtime tracing. At the same time, rolling an RC into a staging environment is still the responsible move. You want to catch regressions before the final tag hits the mirrors.

The JIT has been a rolling thunderstorm for years. Some developers love the speed. Others dread the occasional segfault. PHP 8.5 finally tries to lock it down with proper cache slot routing and recursion guards. The work started back when the tracing JIT first landed, and the ongoing stability patches are quietly paying off.

If you want to test these builds yourself, the source repositories are already up:

Release php-8.5.9RC1

Tag for php-8.5.9RC1

Release php-8.5.9RC1 · php/php-src

Release php-8.4.24RC1

Tag for php-8.4.24RC1

Release php-8.4.24RC1 · php/php-src

The full changelogs are available for both lines if you need to audit specific extensions. Recent lines have also patched a stack of security issues, including memory corruption in OpenSSL AES-WRAP-PAD handling, DOM C14N namespace duplication, and PDO_Firebird injection vectors.

Report any regressions to the PHP source issues tracker. The final stable releases will drop once the RC window closes without blockers. Keep an eye on php.net for the official announcement dates.