Author: Daniel Scherzer (DanielEScherzer)
Date: 2026-05-07T11:04:36-07:00
Commit:
https://github.com/php/web-php/commit/22334a6ff1da2b408ca2b86add52b1545bfd0d88
Raw diff:
https://github.com/php/web-php/commit/22334a6ff1da2b408ca2b86add52b1545bfd0d88.diff
Announce PHP 8.5.6
Changed paths:
A archive/entries/2026-05-07-4.xml
A releases/8_5_6.php
M ChangeLog-8.php
M archive/archive.xml
M include/release-qa.php
M include/releases.inc
M include/version.inc
Diff:
diff --git a/ChangeLog-8.php b/ChangeLog-8.php
index 0ee56b01d5..7b7d4e6fbe 100644
--- a/ChangeLog-8.php
+++ b/ChangeLog-8.php
@@ -9,6 +9,119 @@
<a id="PHP_8_5"></a>
+<section class="version" id="8.5.6"><!-- {{{ 8.5.6 -->
+<h3>Version 8.5.6</h3>
+<b><?php release_date('07-May-2026'); ?></b>
+<ul><li>Core:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 19983); ?> (GC assertion
failure with fibers, generators and destructors).</li>
+ <li>Fixed ZEND_API mismatch on zend_ce_closure forward decl for
Windows+Clang.</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21504); ?> (Incorrect
RC-handling for ZEND_EXT_STMT op1).</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21478); ?> (Forward property
operations to real instance for initialized lazy proxies).</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21605); ?> (Missing addref
for Countable::count()).</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21699); ?> (Assertion
failure in shutdown_executor when resolving self::/parent::/static:: callables
if the error handler throws).</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21603); ?> (Missing addref
for __unset).</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21760); ?> (Trait with class
constant name conflict against enum case causes SEGV).</li>
+</ul></li>
+<li>CLI:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21754); ?> (`--rf` command
line option with a method triggers ext/reflection deprecation warnings).</li>
+</ul></li>
+<li>Curl:
+<ul>
+ <li>Add support for brotli and zstd on Windows.</li>
+</ul></li>
+<li>DOM:
+<ul>
+ <li>Fixed <?php githubsecurityl('php/php-src', '4jhr-8w89-j733'); ?> and
<?php githubissuel('php/php-src', 21566); ?> (Dom\XMLDocument::C14N() emits
duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263)</li>
+</ul></li>
+<li>FPM:
+<ul>
+ <li>Fixed <?php githubsecurityl('php/php-src', '7qg2-v9fj-4mwv'); ?> (XSS
within status endpoint). (CVE-2026-6735)</li>
+</ul></li>
+<li>Iconv:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 17399); ?> (iconv memory
leak on bailout).</li>
+</ul></li>
+<li>Lexbor:
+<ul>
+ <li>Upgrade to lexbor v2.7.0.</li>
+</ul></li>
+<li>MBString:
+<ul>
+ <li>Fixed <?php githubsecurityl('php/php-src', 'wm6j-2649-pv75'); ?> (Null
pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()).
(CVE-2026-7259)</li>
+ <li>Fixed <?php githubsecurityl('php/php-src', '74r9-qxhc-fx53'); ?>
(Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104)</li>
+</ul></li>
+<li>Opcache:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21158); ?> (JIT: Assertion
jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg).</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21593); ?> (Borked function
JIT JMPNZ smart branch).</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21460); ?> (COND
optimization regression).</li>
+ <li>Fixed faulty returns out of zend_try block in zend_jit_trace().</li>
+</ul></li>
+<li>OpenSSL:
+<ul>
+ <li>Fix memory leak regression in openssl_pbkdf2().</li>
+ <li>Fix a bunch of memory leaks and crashes on edge cases.</li>
+</ul></li>
+<li>PDO_Firebird:
+<ul>
+ <li>Fixed <?php githubsecurityl('php/php-src', 'w476-322c-wpvm'); ?> (SQL
injection via NUL bytes in quoted strings). (CVE-2025-14179)</li>
+</ul></li>
+<li>PDO_PGSQL:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21683); ?> (pdo_pgsql throws
with ATTR_PREFETCH=0 on empty result set).</li>
+</ul></li>
+<li>Phar:
+<ul>
+ <li>Restore is_link handler in phar_intercept_functions_shutdown.</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21797); ?> (phar: NULL
dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI
environment).</li>
+ <li>Fix memory leak in Phar::offsetGet().</li>
+ <li>Fix memory leak in phar_add_file().</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21799); ?> (phar: propagate
phar_stream_flush return value from phar_stream_close).</li>
+ <li>Fix memory leak in phar_verify_signature() when md_ctx is invalid.</li>
+</ul></li>
+<li>Random:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21731); ?>
(Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state).</li>
+</ul></li>
+<li>Session:
+<ul>
+ <li>Fixed memory leak when session GC callback return a refcounted
value.</li>
+</ul></li>
+<li>SOAP:
+<ul>
+ <li>Fixed <?php githubsecurityl('php/php-src', '85c2-q967-79q5'); ?> (Stale
SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722)</li>
+ <li>Fixed <?php githubsecurityl('php/php-src', 'm33r-qmcv-p97q'); ?>
(Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION).
(CVE-2026-7261)</li>
+ <li>Fixed <?php githubsecurityl('php/php-src', 'hmxp-6pc4-f3vv'); ?> (Broken
Apache map value NULL check). (CVE-2026-7262)</li>
+</ul></li>
+<li>SPL:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21499); ?>
(RecursiveArrayIterator getChildren UAF after parent free).</li>
+ <li>Fix concurrent iteration and deletion issues in SplObjectStorage.</li>
+</ul></li>
+<li>Sqlite3:
+<ul>
+ <li>Fixed wrong free list comparator pointer type.</li>
+</ul></li>
+<li>Standard:
+<ul>
+ <li>Fixed <?php githubsecurityl('php/php-src', '96wq-48vp-hh57'); ?> (Signed
integer overflow of char array offset). (CVE-2026-7568)</li>
+ <li>Fixed <?php githubsecurityl('php/php-src', 'm8rr-4c36-8gq4'); ?>
(Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258)</li>
+</ul></li>
+<li>Streams:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 21468); ?> (Segfault in
file_get_contents w/ a https URL and a proxy set).</li>
+</ul></li>
+<li>URI:
+<ul>
+ <li>Fixed CVE-2026-42371 (uriparser before 1.0.1 has numeric truncation in
text range comparison). (CVE-2026-42371)</li>
+</ul></li>
+</ul>
+<!-- }}} --></section>
+
+
+
<section class="version" id="8.5.5"><!-- {{{ 8.5.5 -->
<h3>Version 8.5.5</h3>
<b><?php release_date('09-Apr-2026'); ?></b>
diff --git a/archive/archive.xml b/archive/archive.xml
index 7c22de456f..5d45dc6e83 100644
--- a/archive/archive.xml
+++ b/archive/archive.xml
@@ -9,6 +9,7 @@
<uri>http://php.net/contact</uri>
<email>[email protected]</email>
</author>
+ <xi:include href="entries/2026-05-07-4.xml"/>
<xi:include href="entries/2026-05-07-3.xml"/>
<xi:include href="entries/2026-05-07-2.xml"/>
<xi:include href="entries/2026-05-07-1.xml"/>
diff --git a/archive/entries/2026-05-07-4.xml b/archive/entries/2026-05-07-4.xml
new file mode 100644
index 0000000000..a2ad8fd827
--- /dev/null
+++ b/archive/entries/2026-05-07-4.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<entry xmlns="http://www.w3.org/2005/Atom";>
+ <title>PHP 8.5.6 Released!</title>
+ <id>https://www.php.net/archive/2026.php#2026-05-07-4</id>
+ <published>2026-05-07T17:59:54+00:00</published>
+ <updated>2026-05-07T17:59:54+00:00</updated>
+ <link href="https://www.php.net/index.php#2026-05-07-4"; rel="alternate"
type="text/html"/>
+ <link href="https://www.php.net/archive/2026.php#2026-05-07-4"; rel="via"
type="text/html"/>
+ <category term="releases" label="New PHP release"/>
+ <category term="frontpage" label="PHP.net frontpage news"/>
+ <content type="xhtml">
+ <div xmlns="http://www.w3.org/1999/xhtml";><p>The PHP development team
announces the immediate availability of PHP 8.5.6. This is a security
release.</p>
+
+<p>All PHP 8.5 users are encouraged to upgrade to this version.</p>
+
+<p>For source downloads of PHP 8.5.6 please visit our <a
href="https://www.php.net/downloads.php";>downloads page</a>,
+Windows source and binaries can also be found <a
href="https://www.php.net/downloads.php?os=windows&version=8.5";>there</a>.
+The list of changes is recorded in the <a
href="https://www.php.net/ChangeLog-8.php#8.5.6";>ChangeLog</a>.
+</p> </div>
+ </content>
+</entry>
diff --git a/include/release-qa.php b/include/release-qa.php
index 56ebd018d1..23e3bcfdaf 100644
--- a/include/release-qa.php
+++ b/include/release-qa.php
@@ -88,10 +88,10 @@
'active' => true,
'release' => [
'type' => 'RC',
- 'number' => 3,
- 'sha256_bz2' =>
'7084b65f8a37558950a657654d0cabda0778d9c3b49f1c79a16bf2c9611d109b',
- 'sha256_gz' =>
'01e12f91a9c6924d42d208a1d97a32930562caa410f49f0caae62e07bfe014ff',
- 'sha256_xz' =>
'5faeca2a67e766f897a51c7a93414706d168d75c862f86343f6c4658c318eee5',
+ 'number' => 0,
+ 'sha256_bz2' => '',
+ 'sha256_gz' => '',
+ 'sha256_xz' => '',
'date' => '30 Apr 2026',
'baseurl' => 'https://downloads.php.net/~daniels/',
],
diff --git a/include/releases.inc b/include/releases.inc
index 2e93680e69..baf2ee2c0e 100644
--- a/include/releases.inc
+++ b/include/releases.inc
@@ -2,6 +2,42 @@
$OLDRELEASES = array (
8 =>
array (
+ '8.5.5' =>
+ array (
+ 'announcement' =>
+ array (
+ 'English' => '/releases/8_5_5.php',
+ ),
+ 'tags' =>
+ array (
+ ),
+ 'date' => '09 Apr 2026',
+ 'source' =>
+ array (
+ 0 =>
+ array (
+ 'filename' => 'php-8.5.5.tar.gz',
+ 'name' => 'PHP 8.5.5 (tar.gz)',
+ 'sha256' =>
'276279f637a875a514346b332bba6d8b06c036cf7979a858e5c55f72c4874884',
+ 'date' => '09 Apr 2026',
+ ),
+ 1 =>
+ array (
+ 'filename' => 'php-8.5.5.tar.bz2',
+ 'name' => 'PHP 8.5.5 (tar.bz2)',
+ 'sha256' =>
'ee262beff61c431965d1f97192854b36208adeac38983c3498bb3500ae87283c',
+ 'date' => '09 Apr 2026',
+ ),
+ 2 =>
+ array (
+ 'filename' => 'php-8.5.5.tar.xz',
+ 'name' => 'PHP 8.5.5 (tar.xz)',
+ 'sha256' =>
'95bec382f4bd00570a8ef52a58ec04d8d9b9a90494781f1c106d1b274a3902f2',
+ 'date' => '09 Apr 2026',
+ ),
+ ),
+ 'museum' => false,
+ ),
'8.2.30' =>
array (
'announcement' =>
diff --git a/include/version.inc b/include/version.inc
index 4eec5648be..0cf60e3688 100644
--- a/include/version.inc
+++ b/include/version.inc
@@ -20,15 +20,15 @@ $RELEASES = (function () {
/* PHP 8.5 Release */
$data['8.5'] = [
- 'version' => '8.5.5',
- 'date' => '09 Apr 2026',
- 'tags' => [], // Set to ['security'] for security releases.
+ 'version' => '8.5.6',
+ 'date' => '07 May 2026',
+ 'tags' => ['security'], // Set to ['security'] for security releases.
'sha256' => [
// WARNING: Order of SHA256 entries here is DIFFERENT from the
// order in the manifest
- 'tar.gz' =>
'276279f637a875a514346b332bba6d8b06c036cf7979a858e5c55f72c4874884',
- 'tar.bz2' =>
'ee262beff61c431965d1f97192854b36208adeac38983c3498bb3500ae87283c',
- 'tar.xz' =>
'95bec382f4bd00570a8ef52a58ec04d8d9b9a90494781f1c106d1b274a3902f2',
+ 'tar.gz' =>
'169aaa21c2834b38df8e39169f43bc5bea8d4059a816cfbc59be08fc2bae60cd',
+ 'tar.bz2' =>
'4457240f65f0c59a620920d66cdab1b12100a431e03ad9febe38b13a1b25957f',
+ 'tar.xz' =>
'826c600b7c6f956bd335558ca3bdbcab23b22126c1cc8d9348be2280a2204bb7',
]
];
diff --git a/releases/8_5_6.php b/releases/8_5_6.php
new file mode 100644
index 0000000000..579cdac2e1
--- /dev/null
+++ b/releases/8_5_6.php
@@ -0,0 +1,16 @@
+<?php
+$_SERVER['BASE_PAGE'] = 'releases/8_5_6.php';
+include_once __DIR__ . '/../include/prepend.inc';
+site_header('PHP 8.5.6 Release Announcement');
+?>
+<h1>PHP 8.5.6 Release Announcement</h1>
+
+<p>The PHP development team announces the immediate availability of PHP 8.5.6.
This is a security release.</p>
+
+<p>All PHP 8.5 users are encouraged to upgrade to this version.</p>
+
+<p>For source downloads of PHP 8.5.6 please visit our <a
href="https://www.php.net/downloads.php";>downloads page</a>,
+Windows source and binaries can also be found <a
href="https://www.php.net/downloads.php?os=windows&version=8.5";>there</a>.
+The list of changes is recorded in the <a
href="https://www.php.net/ChangeLog-8.php#8.5.6";>ChangeLog</a>.
+</p>
+<?php site_footer();
