Release Information
- Release Type
- Security Update
- Release Status
- Latest Release in 8.4
- Branch Status
- Supported
Latest release for PHP 8.4. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.4 continues to receive bug fixes and security fixes until 2026-12-31.
Downloads
Source Code
Git Clone
Use Git to clone the 8.4.22 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.4.22How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf), configuring the build ./configure, and running make.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.4.22-x64NTS.zip
SHA256:
f661da9a4a6b7992a8e801ec7441ee22a2b5a6cd0ff178559a81427c9803f45a php-8.4.22-x86NTS.zip
SHA256:
2fd73580517832e8d8a51f010493949a07fe587bf29e2a2ec039992e68c92bd8 Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.4.22-x64TS.zip
Size: 0 MiB SHA256:
dd7a716bbac734cc7f2f9a9d86aa678e2ae6f83a612b0a8ab1ac186b494d619f php-8.4.22-x86TS.zip
Size: 0 MiB SHA256:
74561072e537fc7dd8b8c98eee74e9348aa7534c2797c98fd7476a21f98595e2 Docker/Podman Containers
PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.4.22-cli-alpineDebian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.4.22-cliPHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.4.22-fpm-alpineDebian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.4.22-apacheDebian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.4.22-fpmChangeLog
Date
- Fixed bug GH-18422 (int overflow in
php_date_llabs).
Intl
- Fix incorrect argument positions in out-of-bounds errors for
IntlCalendar::set(),IntlCalendar::setDate(),IntlCalendar::setDateTime(), and IntlGregorianCalendar date/time construction. - Expose Spoofchecker restriction-level APIs on all supported ICU versions.
- Fix
SpoofChecker::setAllowedChars()andIntlDateFormatter::__construct()to report PHP constant names instead of ICU constant names in user-visible error messages.
MySQLnd
- Fix persistent free of non-persistent connect_attr key
Opcache
- Fixed tracing JIT crash when a VM interrupt is handled during an observed user function call.
- Fixed bug GH-22004 (Assertion failure at
ext/opcache/jit/zend_jit_trace.c).
OpenSSL
- Fix compatibility issues with OpenSSL 4.0.
Phar
- Fixed bug GH-21986 (
PharData::getContent()crash on infinite recursion with symlinks).
SOAP
- Fixed integer overflow when decoding SOAP array indexes.
SPL
- Fix
SplFixedArray::setSizeleak when destructor grows during clear. - Fixed bug GH-21933 (use after free of self-freeing MultipleIterator children).
Standard
- Fixed bug GH-21689 (
version_compare()incorrectly handles versions ending with a dot). - Fixed
ip2long()leading zeros handling inconsistency on AIX.
Commit List
Arnaud Le Blanc
- Fix compiler warning with GCC 16: variable 'offset' set but not used [-Werror=unused-but-set-variable=] in ac86e10468
- Fix compiler warning with glibc 2.43 support of C23 const-preserving standard library macros: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] in 6a27514509
- JIT: Fix TSSA of
ZEND_FE_FETCH_Rwith key operand in ef589ce669 - Fix compiler warning with glibc 2.43 support of C23 const-preserving standard library macros: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] in 3a8307d3e5
David Carlier
- Fix GH-21544: Dom\XMLDocument::C14N() drops namespace declarations on DOM-built documents in d43c523c48
ext/spl: FixSplFixedArray::setSizeleak when destructor grows during clear in cb3dc62fd9- Fix GH-21927: Use-after-free of self-freeing MultipleIterator children in 71926644bb
ext/mysqlnd: Fix persistent free of non-persistent connect_attr key in 6e87107575ext/xml: Usezend_string_safe_realloc()for cdata concatenation in d5a57af4e2
Dmitry Stogov
Ilia Alshanetsky
- Fix GH-20214:
PDO::FETCH_DEFAULTunexpected behavior withPDOStatement::setFetchModein GH-21434 - JIT: Fix escape_if_undef on PHP-8.4 CALL VM in 05afc37eff
- Fix GH-18422: int overflow in
php_date_llabsin 09ca095aa8
Ilija Tovilo
- Revert "Fix GH-20214:
PDO::FETCH_DEFAULTunexpected behavior withPDOStatement::setFetchMode(#21434)" in 171b722edc - Backport compatibility changes for OpenSSL 4.0 in 19255f4b78
- GHSA-85c2-q967-79q5: [soap] Fix stale SOAP_GLOBAL(ref_map) pointer with Apache Map in aee3b3ac9b
- GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after header parsing failure with
SOAP_PERSISTENCE_SESSIONin db2a7f9348 - GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value NULL check in 79551ab8b1
- GHSA-m8rr-4c36-8gq4: Consistently pass unsigned char to
ctype.hfunctions in a38418777f - GHSA-m8rr-4c36-8gq4: Consistently pass unsigned char to
ctype.hfunctions in 398b7dabfb - GHSA-m8rr-4c36-8gq4: Consistently pass unsigned char to
ctype.hfunctions in dc9e21b81c - GHSA-74r9-qxhc-fx53: [mbstring] Fix out-of-bounds access in
mbfl_name2encoding_ex()in 56ee76f820
Jakub Zelenka
- GHSA-7qg2-v9fj-4mwv: [fpm] XSS within status endpoint in 99a5ad7441
Levi Morrison
- Fix JIT vm_interrupt in GH-21910
Michael Orlitzky
ext/gd: fix gh16559 and gh17349 tests in 37bb1c39a9
Reshma V Kumar
ext/standard: Fix ip2long in AIX to treat IPs with leading zeros as invalid like LINUX in e88e04909c
Saki Takamachi
- GHSA-w476-322c-wpvm: [pdo_firebird] Fix SQL injection via NUL bytes in quoted strings in 3f40b65323
- Update versions for PHP 8.4.22 in 3e89d86383
Shivam Mathur
- Preserve full XMM registers in Windows VM wrapper in GH-21976
Tim Düsterhus
zend_compile: Fix incorrect use ofZVAL_NEW_STR()inzend_compile_call()in GH-21851- version_compare: Fix handling of version numbers with a trailing dot in GH-21689
- GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer overflow of char array offset in 47def8ce1d
vi3tL0u1s
- GHSA-wm6j-2649-pv75: [mbstring] Fix null pointer dereference in
php_mb_check_encoding()viamb_ereg_search_init()in 79a054eae0
“LamentXU123”
ext/intl: Fix out-of-bounds argument positions in calendar date/time APIs in 10704f079fext/intl: Expose Spoofchecker restriction-level APIs on all supported ICU versions in 4f947157b7ext/intl: use PATTERN constant name in dateformat errors in 2d784891ff