PHP 8.4.20: Downloads, Changelog, News

Release Information

Release: 8.4.20
PHP Version: PHP 8.4
Release Date: 2026 Apr 09
Release Type: Bug Fix Release
Release Status: Latest Release in 8.4
Branch Status: Supported

Latest release for PHP 8.4.
PHP 8.4 continues to receive bug fixes and security fixes until 2026-12-31.

PHP can be compiled by setting up the dependencies, building the configure script (./buildconf), configuring the build ./configure, and running make.
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.

Windows binaries

Non-Thread Safe Builds

Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.

php-8.4.20-x64NTS.zip

SHA256: bac1a970a676e8d875d5d39fc5ff388f231fadb9fb051b77b17db06a657673df

php-8.4.20-x86NTS.zip

SHA256: cf202f45dcf7776d8ab2aafe3dd518bb0b3b5d8ccd2d84a9049aa0c5e7af8b66

Thread-Safe Builds

Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.

php-8.4.20-x64TS.zip

Size: 0 MiB SHA256: 11f211a3a657962071f967f7e8f2dc1cfc379168093f6bc1d3cd0071eb47e178

php-8.4.20-x86TS.zip

Size: 0 MiB SHA256: 8356c87d3f2bb6d96f82f599b4f12788407209dd564c9c5abd073b43715e0199

Docker/Podman Containers

PHP CLI

PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.

docker pull php:8.4.20-cli-alpine

Debian-based: More compatible with other components, complete, and are widely used.

docker pull php:8.4.20-cli

PHP CLI + Web Server Integration

These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.

docker pull php:8.4.20-fpm-alpine

Debian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.

docker pull php:8.4.20-apache

Debian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.

docker pull php:8.4.20-fpm

ChangeLog

Bz2

Fix truncation of total output size causing erroneous errors.

Core

Fixed bugs GH-20875, GH-20873, GH-20854 (Propagate IN_GET guard in get_property_ptr_ptr for lazy proxies).

DOM

Fixed bug GH-21486 (Dom\HTMLDocument parser mangles xml:space and xml:lang attributes).

FFI

Fixed resource leak in FFI::cdef() onsymbol resolution failure.

GD

Fixed bug GH-21431 (phpinfo() to display libJPEG 10.0 support).

Opcache

Fixed bug GH-20838 (JIT compiler produces wrong arithmetic results).
Fixed bug GH-21267 (JIT tracing: infinite loop on FETCH_OBJ_R with IS_UNDEF property in polymorphic context).
Fixed bug GH-21395 (uaf in jit).

OpenSSL

Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based keys).
Fix missing error propagation for BIO_printf() calls.

PCRE

Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl, php_pcre_split_impl, and php_pcre_grep_impl.

PGSQL

Fixed preprocessor silently guarding PGSQL_SUPPRESS_TIMESTAMPS support due to a typo.

SNMP

Fixed bug GH-21336 (SNMP::setSecurity() undefined behavior with NULL arguments).

SOAP

Fixed Set-Cookie parsing bug wrong offset while scanning attributes.

SPL

Fixed bug GH-21454 (missing write lock validation in SplHeap).

Standard

Fixed bug GH-20906 (Assertion failure when messing up output buffers).
Fixed bug GH-20627 (Cannot identify some avif images with getimagesize).

Sysvshm

Fix memory leak in shm_get_var() when variable is corrupted.

XSL

Fix GH-21357 (XSLTProcessor works with DOMDocument, but fails with Dom\XMLDocument).
Fixed bug GH-21496 (UAF in dom_objects_free_storage). (David Carlier/ndossche)

Commit List

Daniel Scherzer

php_version.h: remove trailing whitespace in 90cb181844

David Carlier

ext/pcre: fix memory leaks on error paths in 78702fa470
ext/pcre: fix mdata_used race conditions in PCRE functions in f8114f554c
ext/pcntl: add new tests to ver invalid signals handling in cf9d6f454a
Fix GH-21336: undefined behavior in snmp setSecurity in 41458c6ad6
ext/soap: Fix wrong cookie options offset calculation, using separator offset instead in 1b61d555fb
ext/gd: phpinfo() to be able to display libjpeg 10.0 support in e257c086bb
ext/ffi: Fix resource leak in FFI::cdef() on symbol resolution failure in 97bb48ec2e
Fix GH-21496: UAF in dom_objects_free_storage in d28e55c4ef

Derick Rethans

Updated to version 2026.1 (2026a) in f437b39060
Empty merge in 9daecc18e0
Updated to version 2026.1 (2026a) in 04897559f0

Dmitry Stogov

Update IR in f073425426
Update IR in GH-21462

Gina Peter Banyard

ext/session: Fix memory leak due to multiple exception happening during session abort in 0acde11945

Ilia Alshanetsky

Fix GH-20838: JIT compiler produces wrong arithmetic results in GH-21383
Fix GH-21083: Skip private_key_bits validation for EC/curve-based keys in 7950482562
Fix GH-21267: JIT infinite loop on FETCH_OBJ_R with IS_UNDEF property in GH-21368
Fix GH-20875: Propagate IN_GET guard in get_property_ptr_ptr for lazy proxies in 9ec303edde

Ilija Tovilo

Make one linux job run function jit on push in a5a5e3acdd
Add RUN_RESOURCE_HEAVY_TESTS env var in 3a57b4ced5
Fix enabling of opcache in benchmark job in older branches in 7324cd7f21
Backport .github changes for Solaris in c21af8c598
Fix expected output for bug52820.phpt in b8b5fb074d
Fix Laravel build for PHP 8.2 in 183d2a617f
Use default branch for symfony/laravel when possible in 272cf1fb2d

Jakub Zelenka

Add back FPM_RUN_RESOURCE_HEAVY_TESTS in 71a01794cc
Remove XFAIL for proc-idle-timeout.phpt in 04023e5e72

ndossche

Fix GH-20906: Assertion failure when messing up output buffers in 1709689256
Revert "ext/session: Fix memory leak due to multiple exception happening during session abort" in 3073948885
Fix memory leak in shm_get_var() when variable is corrupted in ea8aab9220
soap: Fix const-generic compile warning in ae0bf447b4
soap: Fix const violation in c4c1261196
Fix GH-21357: XSLTProcessor works with DOMDocument, but fails with Dom\XMLDocument in 284fd7779d
ext/zip: Fix const-generic compile warning in b95f0ebc47
Fix GH-21454: Missing write lock validation in SplHeap in 8796d75365
openssl: Fix missing error propagation for BIO_printf() calls in f92d54b6b5
Fix GH-21486: Dom\HTMLDocument parser mangles xml:space and xml:lang attributes in c920daa7ec

Niels Dossche

bz2: Fix truncation of total output size causing erroneous errors in 4ee95fc2f3

Nora Dossche

Fix pcre leak test in GH-21327
Fix compile warnings under GCC 15.2.1 in GH-21320

Rasmus Lerdorf

Fix GH-21411: opcache_compile_file() fails to early-bind classes without parents in GH-21412

Remi Collet

zip is now 1.22.8 in fb80f35fdc

Saki Takamachi

Update versions for PHP 8.4.20 in 90744ec52a

Yannis

Update ext/standard/libavifinfo in c3777c73b3

武田憲太郎

ext/pgsql: Fix preprocessor guard typo that silently disabled a feature in 35d98cb6ce