Releasebot
Join for free

PHP Release Notes

Last updated: Oct 11, 2025

RSS Email Slack API
  • Sep 25, 2025
    • Parsed from source:
      Sep 25, 2025
    • Detected by Releasebot:
      Oct 11, 2025
    PHP logo

    PHP

    Version 8.4.13

    A broad set of bug fixes across core and extensions improves stability and reliability from CLI to FPM, with memory leak and use-after-free protections, and better date, Intl, and streams handling. This release tightens security, fixes crashes, and corrects edge cases like file inclusion, SSL, and diagnostics.

    Core

    • Fixed bug GH-18850 (Repeated inclusion of file with __halt_compiler() triggers "Constant already defined" warning).
    • Partially fixed bug GH-19542 (Scanning of string literals >=2GB will fail due to signed int overflow).
    • Fixed bug GH-19544 (GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap references).
    • Fixed bug GH-19613 (Stale array iterator pointer).
    • Fixed bug GH-19679 (zend_ssa_range_widening may fail to converge).
    • Fixed bug GH-19681 (PHP_EXPAND_PATH broken with bash 5.3.0).
    • Fixed bug GH-19720 (Assertion failure when error handler throws when accessing a deprecated constant).

    CLI

    • Fixed bug GH-19461 (Improve error message on listening error with IPv6 address).

    Date

    • Fixed date_sunrise() and date_sunset() with partial-hour UTC offset.

    DBA

    • Fixed bug GH-19706 (dba stream resource mismanagement).

    DOM

    • Fixed bug GH-19612 (Mitigate libxml2 tree dictionary bug).

    FPM

    • Fixed failed debug assertion when php_admin_value setting fails.

    Intl

    • Fixed bug GH-11952 (Fix locale strings canonicalization for IntlDateFormatter and NumberFormatter).

    Opcache

    • Fixed bug GH-19493 (JIT variable not stored before YIELD).

    OpenSSL

    • Fixed bug GH-19245 (Success error message on TLS stream accept failure).

    PGSQL

    • Fixed bug GH-19485 (potential use after free when using persistent pgsql connections).

    Phar

    • Fixed memory leaks when verifying OpenSSL signature.
    • Fix memory leak in phar tar temporary file error handling code.
    • Fix metadata leak when phar convert logic fails.
    • Fix memory leak on failure in phar_convert_to_other().
    • Fixed bug GH-19752 (Phar decompression with invalid extension can cause UAF).

    Standard

    • Fixed bug GH-16649 (UAF during array_splice).
    • Fixed bug GH-19577 (Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator).

    Streams

    • Remove incorrect call to zval_ptr_dtor() in user_wrapper_metadata().
    • Fix OSS-Fuzz #385993744.

    Zip

    • Fix memory leak in zip when encountering empty glob result.
    Original source Report a problem
  • Aug 28, 2025
    • Parsed from source:
      Aug 28, 2025
    • Detected by Releasebot:
      Oct 11, 2025
    PHP logo

    PHP

    Version 8.4.12

    Product release ships a sweeping set of fixes across Core and modules, boosting stability, security, and performance. Users gain safer generator handling, stronger calendar and OpenSSL behavior, and broader platform reliability with targeted bug fixes.

    Core

    • Fixed GH-19169 build issue with C++17 and ZEND_STATIC_ASSERT macro.
    • Fixed bug GH-19053 (Duplicate property slot with hooks and interface property).
    • Fixed bug GH-19044 (Protected properties are not scoped according to their prototype).
    • Fixed bug GH-18581 (Coerce numeric string keys from iterators when argument unpacking).
    • Fixed OSS-Fuzz #434346548 (Failed assertion with throwing __toString in binary const expr).
    • Fixed bug GH-19305 (Operands may be being released during comparison).
    • Fixed bug GH-19303 (Unpacking empty packed array into uninitialized array causes assertion failure).
    • Fixed bug GH-19306 (Generator can be resumed while fetching next value from delegated Generator).
    • Fixed bug GH-19326 (Calling Generator::throw() on a running generator with a non-Generator delegate crashes).
    • Fixed bug GH-18736 (Circumvented type check with return by ref + finally).
    • Fixed bug GH-19065 (Long match statement can segfault compiler during recursive SSA renaming).

    Calendar

    • Fixed bug GH-19371 (integer overflow in calendar.c).

    FTP

    • Fix theoretical issues with hrtime() not being available.

    GD

    • Fix incorrect comparison with result of php_stream_can_cast().

    Hash

    • Fix crash on clone failure.

    Intl

    • Fix memleak on failure in collator_get_sort_key().
    • Fix return value on failure for resourcebundle count handler.

    LDAP

    • Fixed bug GH-18529 (additional inheriting of TLS int options).

    LibXML

    • Fixed bug GH-19098 (libxml<2.13 segmentation fault caused by php_libxml_node_free).

    MbString

    • Fixed bug GH-19397 (mb_list_encodings() can cause crashes on shutdown).

    Opcache

    • Reset global pointers to prevent use-after-free in zend_jit_status().
    • Fix issue with JIT restart and hooks.
    • Fix crash with dynamic function defs in hooks during preload.

    OpenSSL

    • Fixed bug GH-18986 (OpenSSL backend: incorrect RAND_{load,write}_file() return value check).
    • Fix error return check of EVP_CIPHER_CTX_ctrl().
    • Fixed bug GH-19428 (openssl_pkey_derive segfaults for DH derive with low key_length param).

    PDO Pgsql

    • Fixed dangling pointer access on _pdo_pgsql_trim_message helper.

    SOAP

    • Fixed bug GH-18640 (heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref).

    Sockets

    • Fix some potential crashes on incorrect argument value.

    Standard

    • Fixed OSS Fuzz #433303828 (Leak in failed unserialize() with opcache).
    • Fix theoretical issues with hrtime() not being available.
    • Fixed bug GH-19300 (Nested array_multisort invocation with error breaks).

    Windows

    • Free opened_path when opened_path_len >= MAXPATHLEN.
    Original source Report a problem

This is the end. You've seen all the release notes in this feed!