PHP 8.5.6 Release Announcement

The PHP development team announces the immediate availability of PHP 8.5.6. This is a security release.

All PHP 8.5 users are encouraged to upgrade to this version.

For source downloads of PHP 8.5.6 please visit our downloads page, Windows source and binaries can also be found there. The list of changes is recorded in the ChangeLog.

Source Code

• PHP 8.5.6 (tar.gz)
  sha256: 169aaa21c2834b38df8e39169f43bc5bea8d4059a816cfbc59be08fc2bae60cd
• PHP 8.5.6 (tar.bz2)
  sha256: 4457240f65f0c59a620920d66cdab1b12100a431e03ad9febe38b13a1b25957f
• PHP 8.5.6 (tar.xz)
  sha256: 826c600b7c6f956bd335558ca3bdbcab23b22126c1cc8d9348be2280a2204bb7

Change Log

• core
  • Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors).
  • Fixed ZEND_API mismatch on zend_ce_closure forward decl for Windows+Clang.
  • Fixed bug GH-21504 (Incorrect RC-handling for ZEND_EXT_STMT op1).
  • Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies).
  • Fixed bug GH-21605 (Missing addref for Countable::count()).
  • Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws).
  • Fixed bug GH-21603 (Missing addref for __unset).
  • Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV).
• cli
  • Fixed bug GH-21754 (`--rf` command line option with a method triggers ext/reflection deprecation warnings).
• curl
  • Add support for brotli and zstd on Windows.
• dom
  • Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263)
• fpm
  • Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735)
• iconv
  • Fixed bug GH-17399 (iconv memory leak on bailout).
• lexbor
  • Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079)
• mbstring
  • Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)
  • Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104)
• opcache
  • Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg).
  • Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch).
  • Fixed bug GH-21460 (COND optimization regression).
  • Fixed faulty returns out of zend_try block in zend_jit_trace().
• openssl
  • Fix memory leak regression in openssl_pbkdf2().
  • Fix a bunch of memory leaks and crashes on edge cases.
• pdo_firebird
  • Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179)
• pdo_pgsql
  • Fixed bug GH-21683 (pdo_pgsql throws with ATTR_PREFETCH=0 on empty result set).
• phar
  • Restore is_link handler in phar_intercept_functions_shutdown.
  • Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment).
  • Fix memory leak in Phar::offsetGet().
  • Fix memory leak in phar_add_file().
  • Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close).
  • Fix memory leak in phar_verify_signature() when md_ctx is invalid.
• random
  • Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state).
• session
  • Fixed memory leak when session GC callback return a refcounted value.
• soap
  • Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722)
  • Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261)
  • Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262)
• spl
  • Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free).
  • Fix concurrent iteration and deletion issues in SplObjectStorage.
• sqlite3
  • Fixed wrong free list comparator pointer type.
• standard
  • Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568)
  • Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258)
• streams
  • Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set).
• uri
  • Fixed CVE-2026-42371 (uriparser before 1.0.1 has numeric truncation in text range comparison). (CVE-2026-42371)