Release Information
- Release Type
- Security Update
- Release Status
- Latest
- Branch Status
- Supported (Latest)
Latest PHP release in the latest version. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.5 continues to receive bug fixes and security fixes until 2027-12-31.
Downloads
Source Code
Git Clone
Use Git to clone the 8.5.7 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.5.7How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf), configuring the build ./configure, and running make.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.5.7-x64NTS.zip
SHA256:
2ff43fea9a243085493b48c7c47152c0678cff0b05c61a3b4f4b43ba22de212c php-8.5.7-x86NTS.zip
SHA256:
c145dbd642503ea79985d7b84e320604b38da7b3cb36dc410a1614843709328a Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.5.7-x64TS.zip
Size: 0 MiB SHA256:
0e8a7a368de950408e1df5d34a5a9deb3817e434007f28f310e6674354ed8d06 php-8.5.7-x86TS.zip
Size: 0 MiB SHA256:
367e2c8d5ee0288dc2741f71ef715ccf04a5ec78d82cc1d792d58ef9c0a9eea6 Docker/Podman Containers
PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.5.7-cli-alpineDebian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.5.7-cliPHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.5.7-fpm-alpineDebian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.5.7-apacheDebian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.5.7-fpmChangeLog
CLI
- Fixed bug GH-21901 (Stale
getopt()optional value).
Core
- Fixed bug GH-22071 (JIT assertion on abstract static method call).
Date
- Fixed bug GH-18422 (int overflow in
php_date_llabs).
DOM
- Fixed bug GH-22077 (UAF in custom XPath function). (afflerbach/David Carlier)
Opcache
- Fixed tracing JIT crash when a VM interrupt is handled during an observed user function call.
- Fixed bug GH-21746 (Segfault with tracing JIT).
- Fixed bug GH-22004 (Assertion failure at
ext/opcache/jit/zend_jit_trace.c). - Fixed tailcall VM crash when a VM interrupt is handled from a VM helper.
OpenSSL
- Fix compatibility issues with OpenSSL 4.0.
Standard
- Fixed bug GH-21689 (
version_compare()incorrectly handles versions ending with a dot).
URI
- Fixed CVE-2026-44927 (In uriparser before 1.0.2, there is pointer difference truncation to int in various places). (CVE-2026-44927)
- Fixed CVE-2026-44928 (In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal). (CVE-2026-44928)
Commit List
Arnaud Le Blanc
- Fix compiler warning with GCC 16: variable 'offset' set but not used [-Werror=unused-but-set-variable=] in ac86e10468
- Fix incorrect trace stop type in 6872432adf
- Fix compiler warning with glibc 2.43 support of C23 const-preserving standard library macros: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] in 6a27514509
- Fix compiler warning with GCC 16: variable 'offset' set but not used [-Werror=unused-but-set-variable=] in 178a5e7997
- Fix compiler warning with glibc 2.43 support of C23 const-preserving standard library macros: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] in ac1390f60e
- JIT: Fix TSSA of
ZEND_FE_FETCH_Rwith key operand in ef589ce669 - Fix compiler warning with glibc 2.43 support of C23 const-preserving standard library macros: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] in 3a8307d3e5
David Carlier
- Fix GH-21544: Dom\XMLDocument::C14N() drops namespace declarations on DOM-built documents in d43c523c48
ext/spl: FixSplFixedArray::setSizeleak when destructor grows during clear in cb3dc62fd9- Fix GH-21927: Use-after-free of self-freeing MultipleIterator children in 71926644bb
ext/mysqlnd: Fix persistent free of non-persistent connect_attr key in 6e87107575ext/xml: Usezend_string_safe_realloc()for cdata concatenation in d5a57af4e2ext/intl: fix build due to 2d78489 merge in ed2c6ba6d0
Dmitry Stogov
Ilia Alshanetsky
- Fix GH-20214:
PDO::FETCH_DEFAULTunexpected behavior withPDOStatement::setFetchModein GH-21434 - JIT: Fix escape_if_undef on PHP-8.4 CALL VM in 05afc37eff
- Fix GH-18422: int overflow in
php_date_llabsin 09ca095aa8
Ilija Tovilo
- Revert "Fix GH-20214:
PDO::FETCH_DEFAULTunexpected behavior withPDOStatement::setFetchMode(#21434)" in 171b722edc - Fix ext-dom shared build on Windows in ca08e0ff72
- Fix
gh21901.phptexpected output when no ini file is loaded in e3845851d3 - Backport compatibility changes for OpenSSL 4.0 in 19255f4b78
- GHSA-85c2-q967-79q5: [soap] Fix stale SOAP_GLOBAL(ref_map) pointer with Apache Map in aee3b3ac9b
- GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after header parsing failure with
SOAP_PERSISTENCE_SESSIONin db2a7f9348 - GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value NULL check in 79551ab8b1
- GHSA-m8rr-4c36-8gq4: Consistently pass unsigned char to
ctype.hfunctions in a38418777f - GHSA-m8rr-4c36-8gq4: Consistently pass unsigned char to
ctype.hfunctions in 398b7dabfb - GHSA-m8rr-4c36-8gq4: Consistently pass unsigned char to
ctype.hfunctions in dc9e21b81c - GHSA-m8rr-4c36-8gq4: Consistently pass unsigned char to
ctype.hfunctions in b8dad9314c - GHSA-74r9-qxhc-fx53: [mbstring] Fix out-of-bounds access in
mbfl_name2encoding_ex()in 56ee76f820
Jakub Zelenka
- GHSA-7qg2-v9fj-4mwv: [fpm] XSS within status endpoint in 99a5ad7441
Joe Afflerbach
ext/dom: Fix UAF in custom XPath function in 33a49bb4d3
Levi Morrison
- Fix JIT vm_interrupt in GH-21910
- Fix tailcall helper dispatch after VM interrupt in 06bfe158a5
Michael Orlitzky
ext/gd:imagebmp_basic.phpttest require PNG support in ac8248bb63ext/gd: fix gh16559 and gh17349 tests in 37bb1c39a9
onthebed
- Fix stale
getopt()optional value in CLI in 893bc0ad6e
Reshma V Kumar
ext/standard: Fix ip2long in AIX to treat IPs with leading zeros as invalid like LINUX in e88e04909c
Saki Takamachi
- GHSA-w476-322c-wpvm: [pdo_firebird] Fix SQL injection via NUL bytes in quoted strings in 3f40b65323
Shivam Mathur
- Preserve full XMM registers in Windows VM wrapper in GH-21976
- Fix GH-22023 crash during ZTS thread startup in GH-22027
- Fix Windows clang VM handler declaration in GH-22103
Tim Düsterhus
zend_compile: Fix incorrect use ofZVAL_NEW_STR()inzend_compile_call()in GH-21851- uri: Update to uriparser-1.0.1 in GH-21890
- version_compare: Fix handling of version numbers with a trailing dot in GH-21689
- GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer overflow of char array offset in 47def8ce1d
- uri: Update to uriparser-1.0.2 in GH-22070
vi3tL0u1s
- GHSA-wm6j-2649-pv75: [mbstring] Fix null pointer dereference in
php_mb_check_encoding()viamb_ereg_search_init()in 79a054eae0
Volker Dusch
- Update versions for PHP 8.5.7 in 35eab8c08b
“LamentXU123”
ext/intl: Fix out-of-bounds argument positions in calendar date/time APIs in 10704f079fext/intl: Expose Spoofchecker restriction-level APIs on all supported ICU versions in 4f947157b7ext/intl: use PATTERN constant name in dateformat errors in 2d784891ff