PHP pushed maintenance releases for its two active development branches on July 1–2, 2026. PHP 8.5.8 and 8.4.23 are out. Neither is a major feature release, but they fix issues that can cause real harm to production servers. If you’re hosting PHP applications, patch now.
The headliner: CVE-2026-14355
The most critical fix in both releases is CVE-2026-14355, addressing memory corruption in openssl_encrypt() when used with the AES-WRAP-PAD cipher mode (bug GH-22187). Specifically, the internal zend_mm_heap gets corrupted during this operation. Heap corruption is the kind of bug that ranges from “your process crashes at random” to “someone potentially executes arbitrary code,” depending on how the application uses the function and what an attacker can control. If you use PHP’s OpenSSL extension for encryption — and many applications do — this one warrants immediate attention.
CVE-2026-14355 is explicitly assigned in the PHP 8.5.8 changelog. The 8.4.23 entry patches the same underlying bug GH-22187 without naming the CVE, but it applies equally.
Phar’s directory bypass
Both releases patch a bypass of the .phar directory protection in Phar::addEmptyDir(). A path starting with /.phar could slip past the guard that is supposed to prevent tampering with the phar stub directory. No CVE has been assigned yet. That does not make it unimportant — if your application processes user-supplied phar archives, this is worth knowing about.
GD double-free
PHP’s GD image extension receives a fix for a double-free in gdImageSetStyle() triggered by an integer overflow in the image style array (GH-22121). If your site accepts user-uploaded images and processes them through imagesetstyle(), pay attention: double-free bugs on attacker-controlled input are a classic exploitation path and have historically been used to turn a crash into code execution.
Additional fixes in 8.5.8
PHP 8.5.8 also closes a use-after-free in custom XPath function handling (GH-22077). UAF bugs in XML processing have a history of being exploitable in web contexts, so this is flagged even without a CVE. Two uriparser library CVEs are bundled in as well — CVE-2026-44927 (pointer difference truncation to int in various places) and CVE-2026-44928 (the EqualsUri function family misclassifying two unequal URIs as equal). Both are confirmed in the official PHP changelog.
Further stability fixes include a JIT assertion failure (GH-22004), a compile error for goto labels preceding try/finally blocks (GH-22280), and a SoapServer crash when $_SERVER is not an array (GH-22218).
About the previous round of CVEs
If you see entries like CVE-2026-6722 or CVE-2026-7261 in the changelog under these versions, those were backported fixes from the May 2026 coordinated release (8.5.6 / 8.4.21 / 8.3.31 / 8.2.31). They are not new to this release cycle — they appear because the 8.5.8 and 8.4.23 changelogs are cumulative.
PHP 8.6 alpha
On the same day PHP 8.6 Alpha 1 landed. Alpha means “do not deploy to production” — it is there for developers who want to test compatibility and poke at upcoming features. Don’t be that person who runs alpha software on a client’s shop to “try it out.”
What this means for kalfaoglu.net customers
If your hosting plan runs PHP 8.4 or 8.5, you are on infrastructure we manage. PHP security updates are pushed on a regular maintenance cycle, and these releases are queued. You don’t need to do anything manually unless you have pinned a specific PHP minor version — if you have, now is a good time to unpin.
PHP 8.2 and 8.3 remain in security-only maintenance mode and are expected to receive corresponding patches for the vulnerabilities fixed in this round. Remi Collet’s RPM repository for RHEL and Fedora already carries updated builds for 8.2 through 8.5.
PHP 8.2 reaches end-of-life on December 31, 2026. If you are still running PHP 8.2 in production, the right time to test compatibility with 8.3 or 8.4 was three months ago. The second-best time is now. Waiting until December is how you end up patching on a Sunday night with customers yelling.