PHP 8.5.8
PHP 8.5.8 has been released on July 2, 2026. This is a security release that addresses a critical vulnerability (CVE-2026-14355) in the OpenSSL extension, along with numerous bug fixes across the core and extensions.
Security Fix
- CVE-2026-14355 — Memory corruption (zend_mm_heap corrupted) in openssl_encrypt with AES-WRAP-PAD has been fixed.
Core Improvements
- Fixed incorrect compile error for
gototo label preceding try/finally block (GH-22280). - Fixed assertion when error handler throws during NaN to bool/string coercion (GH-22112).
Extension Fixes
- BCMath: Fixed oversized allocations and signed overflow in bcround() and BcMath\Number::round().
- Date: Fixed incorrect recurrence check of DatePeriod::createFromISO8601String().
- Exif: Read correct value for single and double tags.
- GD: Fixed double free in gdImageSetStyle() after overflow-triggered early return (GH-22121).
- Intl: Fixed argument positions for invalid start/end arguments in transliterator_transliterate(). Fixed IntlTimeZone::getDisplayName() error state synchronization.
- Opcache: Fixed tailcall vm_interrupt bug (GH-22265), unsafe inheritance cache replay (GH-20469), and corrupted variable type with reference wrapper (GH-21972).
- Phar: Fixed bypass of the magic ".phar" directory protection in Phar::addEmptyDir().
- SOAP: Fixed SoapServer::handle() crash on $_SERVER not being an array (GH-22218) and raw input handling (GH-22285).
- Zip: Fixed error-related memory leaks.
- Zlib: Fixed memory leak if deflate initialization fails, and memory leak in inflate_add().
Upgrade Guide
All PHP 8.5 users are encouraged to upgrade to this version as soon as possible due to the security fix. The upgrade is straightforward — download the latest source from the PHP website or use your package manager. For Windows users, prebuilt binaries are available on the downloads page.
PHP 8.5.8 is available now. Visit php.net/downloads to get the latest version.