PHP Ships 8.5.8 and 8.4.23 Maintenance Releases
Security patches for OpenSSL memory corruption, Phar bypasses, and Opcache bugs land in the latest updates.
The PHP development team has dropped maintenance releases for its two active branches. PHP 8.5.8 and 8.4.23 are now available, bringing a mix of stability improvements and security patches to the most widely deployed server-side language on the internet.
If you're running a PHP shop, now is the time to update. These aren't feature drops, but they address issues that could bite production environments. The headline grabber here is a memory corruption bug in OpenSSL for the 8.4 branch, alongside a Phar directory protection bypass found in both releases.
What's in the 8.5.8 Update
PHP 8.5 remains the current feature release, and this update keeps the engine clean. The changelog highlights a fix for an unsafe inheritance cache replay issue in Opcache. If you're running heavy workloads with reentrant autoloading, the previous behavior could lead to unstable states. That's worth patching.
There's also a Phar bypass involving the magic .phar directory protection. The fix addresses paths starting with /.phar while still allowing non-magic directory names that share the prefix. GD got a double-free fix in gdImageSetStyle() that triggers on overflow. Memory safety wins are always good to see.
Core and Date extensions received their usual attention. A compile error for goto labels preceding try/finally blocks is resolved, and DatePeriod::createFromISO8601String() no longer trips over incorrect recurrence checks.
The new URI extension, ext/uri, got some clean-up work. Previous wither call errors are now cleared before the next validation, so you won't be served stale error logs. Keep in mind that this extension provides RFC 3986 and WHATWG URL-compliant APIs. It's replacing ad-hoc URL handling across the codebase.
PHP 8.6 Alpha Drops
While 8.5 gets the maintenance patches, the team is already looking ahead. Yesterday marked the release of the first alpha version of PHP 8.6.0.
This is the start of the testing cycle, not a production-ready release. Alpha versions are for developers who want to experiment with upcoming features and help catch bugs before the final release. If you're curious about what's coming next, you can grab the alpha now, but don't deploy it to production.
What's in the 8.4.23 Update
The 8.4 branch focuses on security and stability. The most critical fix here is in OpenSSL. Bug GH-22187 addresses memory corruption in openssl_encrypt when using AES-WRAP-PAD. The internal zend_mm_heap gets corrupted. If you rely on this specific encryption mode, you need this patch immediately.
GD receives several overflow fixes. imageaffine, imageellipse, and imagefilledellipse had issues that could produce unexpected results or trigger NaN filter values. Image processing scripts processing user uploads should test these.
mysqli has a leak fix in stmt->query for validation errors in mysqli_execute_query(). Opcache gets the same inheritance cache fix as 8.5. And Spoofchecker APIs are now restricted to ICU 53 and later, which aligns the extension with modern requirements.
DOM also gets a fix for Dom\XMLDocument::schemaValidate failing to resolve xs:QName with prefixes from imported schemas. It's a niche edge case, but XML consumers will appreciate it.
PHP's State in 2026
PHP still powers roughly 70.8% of all websites whose server-side language is known, according to W3Techs data from June 2026. Three out of every four websites run on it. You'll find it behind Facebook, Wikipedia, Baidu, Archive.org, and, of course, Linux Compatible.
The language has matured significantly since its "spaghetti code" reputation. PHP 8.5 introduced the TAILCALL VM, which leverages compiler tail-call optimization at the virtual machine level. It reduces stack overhead in recursive patterns. The pipe operator <|> enables functional-style data piping, and #[\NoDiscard] marks return values that must be used.
Adoption of the 8.x branch is climbing. Version 8.x now holds a 61.3% usage share among PHP sites. The 7.x branch still has about 30.4% share, which is a lingering security concern. Many sites rely on end-of-life software that no longer receives patches. The shift is accelerating as hosting providers drop support for older versions.
WordPress remains the elephant in the room. It powers over 43% of all websites globally and continues to drive PHP adoption. The ecosystem includes modern frameworks like Laravel, along with legacy stalwarts like Drupal and Joomla.
Get the Update
The source tarballs are available now. The PHP team typically publishes binary packages and Docker images shortly after the initial announcement.
Head here to download PHP 8.5.8 and here for PHP 8.4.23. If you're still on PHP 7.4, you're running unsupported code. The migration path is straightforward if you have the budget. The language has evolved enough that it might be worth revisiting.
