The PHP development team released PHP 8.5.6 on May 6, 2026, delivering a focused maintenance update that addresses security vulnerabilities, memory leaks, and runtime stability issues across the core engine and several bundled extensions.
Downloads are available now at php.net. Server administrators running any earlier 8.5.x build should treat this as a priority update. The security fixes are the clearest reason to move quickly.
Several CVEs in this release target memory corruption and injection risks that surface under real production conditions rather than controlled test environments. The MBString extension receives a fix for null pointer dereferences that crash scripts during multibyte encoding checks.
These failures are not always predictable in development but tend to appear reliably under sustained load. The Standard module addresses signed integer overflows in character array offset handling, a category of bug that can allow an attacker to influence memory operations in ways the runtime was never designed to permit. The SOAP extension also receives critical attention.
Use-after-free bugs and stale pointer issues in SOAP’s session persistence handling are patched in this release. These problems appear specifically when persistence sessions fail during header parsing, a scenario that is uncommon in simple deployments but shows up regularly in enterprise middleware and legacy integration layers that rely on SOAP for service communication.
Leaving them unpatched means running with a memory state that the runtime itself cannot trust. Opcache sees some of the most practically significant changes in this release.
JIT assertion failures caused by incorrect smart branch optimization for JMPNZ instructions are resolved here. In plain terms, scripts that rely on tight loops or complex conditional jumps were hitting random crashes during JIT-compiled execution with no consistent reproduction pattern.
That makes the bugs particularly painful to diagnose in production because they appear to be intermittent when they are actually deterministic under specific code paths.
The COND optimization regression fix addresses related issues in bytecode generation for heavily nested control structures. Neither change adds new functionality, but both remove failure modes that have been causing unexpected downtime for developers who enabled JIT.
Extension-level fixes cover a useful range of deployment scenarios. Windows developers gain Brotli and zstd compression support in the Curl extension, bringing the Windows build in line with what Linux and macOS users have been able to do for some time.
Applications making API calls to modern endpoints that respond with brotli-compressed content were previously falling back to uncompressed transfers on Windows, which increased bandwidth consumption unnecessarily. The Phar extension gets NULL dereference fixes when environment variables are absent, along with memory leak patches in its file verification routines.
Developers using DOM XML serialization will find the duplicate xmlns declaration bug after setAttributeNS calls are finally resolved, a regression that has been causing malformed output in certain XML document construction workflows.
A linker error affecting Windows developers building custom PHP extensions with Clang is also corrected. The ZEND_API mismatch that caused the error during custom module compilation made it impossible to build certain extension combinations on Windows without patching the source manually. Memory management improvements run through several other components.
OpenSSL, PDO_Firebird, and session garbage collection all receive patches targeting gradual memory accumulation over long-running process lifetimes.
PHP applications deployed as persistent processes, whether through PHP-FPM pools, ReactPHP event loops, or similar async frameworks, are the most exposed to these leaks because they do not restart frequently enough to flush accumulated memory naturally. The fixes reduce the rate at which these processes grow their memory footprint over time without requiring any change to application code.
PHP 8.5 is the current stable branch and the version now shipping in distributions like AlmaLinux 10.2, Fedora 44, and Ubuntu 26.04. This release does not introduce any new language features or deprecations. It is purely corrective work targeting a set of bugs that have been accumulating since the 8.5.5 release.
Running the latest patch level on any PHP version is standard practice for production deployments, and 8.5.6 gives a more specific set of reasons than most maintenance releases.
Full release details and source downloads are available at the official PHP releases page.
