Announce PHP 8.4.21

Author: NattyNarwhal

ChangeLog-8.php

@@ -877,6 +877,110 @@
 
 <a id="PHP_8_4"></a>
 
+<section class="version" id="8.4.21"><!-- {{{ 8.4.21 -->
+<h3>Version 8.4.21</h3>
+<b><?php release_date('07-May-2026'); ?></b>
+<ul><li>Core:
+<ul>
+  <li>Fixed bug <?php githubissuel('php/php-src', 19983); ?> (GC assertion failure with fibers, generators and destructors).</li>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21478); ?> (Forward property operations to real instance for initialized lazy proxies).</li>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21605); ?> (Missing addref for Countable::count()).</li>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21699); ?> (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws).</li>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21603); ?> (Missing addref for __unset).</li>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21760); ?> (Trait with class constant name conflict against enum case causes SEGV).</li>
+</ul></li>
+<li>CLI:
+<ul>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21754); ?> (`--rf` command line option with a method triggers ext/reflection deprecation warnings).</li>
+</ul></li>
+<li>Curl:
+<ul>
+  <li>Add support for brotli and zstd on Windows.</li>
+</ul></li>
+<li>DOM:
+<ul>
+  <li>Fixed <?php githubsecurityl('php/php-src', '4jhr-8w89-j733'); ?> and <?php githubissuel('php/php-src', 21566); ?> (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263)</li>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21688); ?> (segmentation fault on empty HTMLDocument).</li>
+  <li>Upgrade to lexbor v2.7.0.</li>
+</ul></li>
+<li>FPM:
+<ul>
+  <li>Fixed <?php githubsecurityl('php/php-src', '7qg2-v9fj-4mwv'); ?> (XSS within status endpoint). (CVE-2026-6735)</li>
+</ul></li>
+<li>Iconv:
+<ul>
+  <li>Fixed bug <?php githubissuel('php/php-src', 17399); ?> (iconv memory leak on bailout).</li>
+</ul></li>
+<li>MBString:
+<ul>
+  <li>Fixed <?php githubsecurityl('php/php-src', 'wm6j-2649-pv75'); ?> (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)</li>
+  <li>Fixed <?php githubsecurityl('php/php-src', '74r9-qxhc-fx53'); ?> (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104)</li>
+</ul></li>
+<li>Opcache:
+<ul>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21158); ?> (JIT: Assertion jit-&gt;ra[var].flags &amp; (1&lt;&lt;0) failed in zend_jit_use_reg).</li>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21593); ?> (Borked function JIT JMPNZ smart branch).</li>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21460); ?> (COND optimization regression).</li>
+  <li>Fixed faulty returns out of zend_try block in zend_jit_trace().</li>
+</ul></li>
+<li>OpenSSL:
+<ul>
+  <li>Fix a bunch of memory leaks and crashes on edge cases.</li>
+</ul></li>
+<li>PDO_Firebird:
+<ul>
+  <li>Fixed <?php githubsecurityl('php/php-src', 'w476-322c-wpvm'); ?> (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179)</li>
+</ul></li>
+<li>Phar:
+<ul>
+  <li>Restore is_link handler in phar_intercept_functions_shutdown.</li>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21797); ?> (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment).</li>
+  <li>Fix memory leak in Phar::offsetGet().</li>
+  <li>Fix memory leak in phar_add_file().</li>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21799); ?> (phar: propagate phar_stream_flush return value from phar_stream_close).</li>
+  <li>Fix memory leak in phar_verify_signature() when md_ctx is invalid.</li>
+</ul></li>
+<li>Random:
+<ul>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21731); ?> (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state).</li>
+</ul></li>
+<li>Session:
+<ul>
+  <li>Fixed memory leak when session GC callback return a refcounted value.</li>
+</ul></li>
+<li>SOAP:
+<ul>
+  <li>Fixed <?php githubsecurityl('php/php-src', '85c2-q967-79q5'); ?> (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722)</li>
+  <li>Fixed <?php githubsecurityl('php/php-src', 'm33r-qmcv-p97q'); ?> (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261)</li>
+  <li>Fixed <?php githubsecurityl('php/php-src', 'hmxp-6pc4-f3vv'); ?> (Broken Apache map value NULL check). (CVE-2026-7262)</li>
+</ul></li>
+<li>SPL:
+<ul>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21499); ?> (RecursiveArrayIterator getChildren UAF after parent free).</li>
+  <li>Fix concurrent iteration and deletion issues in SplObjectStorage.</li>
+</ul></li>
+<li>Standard:
+<ul>
+  <li>Fixed <?php githubsecurityl('php/php-src', '96wq-48vp-hh57'); ?> (Signed integer overflow of char array offset). (CVE-2026-7568)</li>
+  <li>Fixed <?php githubsecurityl('php/php-src', 'm8rr-4c36-8gq4'); ?> (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258)</li>
+</ul></li>
+<li>Streams:
+<ul>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21468); ?> (Segfault in file_get_contents w/ a https URL and a proxy set).</li>
+</ul></li>
+<li>XSL:
+<ul>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21600); ?> (Segfault on module shutdown).</li>
+</ul></li>
+<li>Zip:
+<ul>
+  <li>Fixed bug <?php githubissuel('php/php-src', 21698); ?> (memory leak with ZipArchive::addGlob() early return statements).</li>
+</ul></li>
+</ul>
+<!-- }}} --></section>
+
+
+
 <section class="version" id="8.4.20"><!-- {{{ 8.4.20 -->
 <h3>Version 8.4.20</h3>
 <b><?php release_date('09-Apr-2026'); ?></b>

archive/archive.xml

@@ -9,6 +9,7 @@
     <uri>http://php.net/contact</uri>
     <email>php-webmaster@lists.php.net</email>
   </author>
+  <xi:include href="entries/2026-05-07-2.xml"/>
   <xi:include href="entries/2026-05-07-1.xml"/>
   <xi:include href="entries/2026-05-04-1.xml"/>
   <xi:include href="entries/2026-04-09-2.xml"/>

archive/entries/2026-05-07-2.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<entry xmlns="http://www.w3.org/2005/Atom">
+  <title>PHP 8.4.21 Released!</title>
+  <id>https://www.php.net/archive/2026.php#2026-05-07-2</id>
+  <published>2026-05-07T15:34:42+00:00</published>
+  <updated>2026-05-07T15:34:42+00:00</updated>
+  <link href="https://www.php.net/index.php#2026-05-07-2" rel="alternate" type="text/html"/>
+  <link href="https://www.php.net/archive/2026.php#2026-05-07-2" rel="via" type="text/html"/>
+  <category term="releases" label="New PHP release"/>
+  <category term="frontpage" label="PHP.net frontpage news"/>
+  <content type="xhtml">
+    <div xmlns="http://www.w3.org/1999/xhtml"><p>The PHP development team announces the immediate availability of PHP 8.4.21. This is a security release.</p>
+
+<p>All PHP 8.4 users are encouraged to upgrade to this version.</p>
+
+<p>For source downloads of PHP 8.4.21 please visit our <a href="https://www.php.net/downloads.php">downloads page</a>,
+Windows source and binaries can also be found <a href="https://www.php.net/downloads.php?os=windows&amp;version=8.4">there</a>.
+The list of changes is recorded in the <a href="https://www.php.net/ChangeLog-8.php#8.4.21">ChangeLog</a>.
+</p>    </div>
+  </content>
+</entry>

include/release-qa.php

@@ -75,12 +75,12 @@
         'active'  => true,
         'release' => [
             'type'       => 'RC',
-            'number'     => 1,
-            'sha256_bz2' => '92be1ab180946fb6fe21456cfae08190fe556fb643d56043bd56f034ae145368',
-            'sha256_gz'  => 'e4c3eb09b3948bda0a0e41c73424a73c1d3ca6c7ee81efb22f26f07cb7476929',
-            'sha256_xz'  => 'c1a77cbbfe2dc7dd37b11f88ff68f112dbed6eaa9ba2d232e0a1b57852c93096',
-            'date'       => '23 Apr 2026',
-            'baseurl'    => 'https://downloads.php.net/~calvinb/',
+            'number'     => 0,
+            'sha256_bz2' => '',
+            'sha256_gz'  => '',
+            'sha256_xz'  => '',
+            'date'       => '07 May 2026',
+            'baseurl'    => 'https://downloads.php.net/',
         ],
     ],
 

include/releases.inc

@@ -2,6 +2,42 @@
 $OLDRELEASES = array (
   8 => 
   array (
+    '8.4.20' => 
+    array (
+      'announcement' => 
+      array (
+        'English' => '/releases/8_4_20.php',
+      ),
+      'tags' => 
+      array (
+      ),
+      'date' => '09 Apr 2026',
+      'source' => 
+      array (
+        0 => 
+        array (
+          'filename' => 'php-8.4.20.tar.gz',
+          'name' => 'PHP 8.4.20 (tar.gz)',
+          'sha256' => 'a2def5d534d57c6a0236f2265de7537608af871900a4f7955eff463e9e38247d',
+          'date' => '09 Apr 2026',
+        ),
+        1 => 
+        array (
+          'filename' => 'php-8.4.20.tar.bz2',
+          'name' => 'PHP 8.4.20 (tar.bz2)',
+          'sha256' => 'ce25d2610a5f9522ac8f53fbb7b8280b5c021991e9bd9137068c9c629d9ffb56',
+          'date' => '09 Apr 2026',
+        ),
+        2 => 
+        array (
+          'filename' => 'php-8.4.20.tar.xz',
+          'name' => 'PHP 8.4.20 (tar.xz)',
+          'sha256' => 'e454c6f7c89a42f41ebb06dc5c3578e8c8b5f1a3f0da6675665affab04e221f7',
+          'date' => '09 Apr 2026',
+        ),
+      ),
+      'museum' => false,
+    ),
     '8.3.30' => 
     array (
       'announcement' => 

include/version.inc

@@ -34,13 +34,13 @@ $RELEASES = (function () {
 
     /* PHP 8.4 Release */
     $data['8.4'] = [
-        'version' => '8.4.20',
-        'date' => '09 Apr 2026',
-        'tags' => [], // Set to ['security'] for security releases.
+        'version' => '8.4.21',
+        'date' => '07 May 2026',
+        'tags' => ['security'], // Set to ['security'] for security releases.
         'sha256' => [
-            'tar.gz' => 'a2def5d534d57c6a0236f2265de7537608af871900a4f7955eff463e9e38247d',
-            'tar.bz2' => 'ce25d2610a5f9522ac8f53fbb7b8280b5c021991e9bd9137068c9c629d9ffb56',
-            'tar.xz' => 'e454c6f7c89a42f41ebb06dc5c3578e8c8b5f1a3f0da6675665affab04e221f7',
+            'tar.gz' => 'db96ee0a8e5ee7b73a4913a2aeddc162ba2ef16cd34b9347b5b9a6150e1f8e48',
+            'tar.bz2' => '5e0bd287f3be35bf57c211b010527ae5e10a88170f96e64d336044eb5faef430',
+            'tar.xz' => '7cf5d8ab12c3b2016875bcfaec71bef1ef0b07bed6148f2c447577074431f984',
         ]
     ];
 

releases/8_4_21.php

@@ -0,0 +1,16 @@
+<?php
+$_SERVER['BASE_PAGE'] = 'releases/8_4_21.php';
+include_once __DIR__ . '/../include/prepend.inc';
+site_header('PHP 8.4.21 Release Announcement');
+?>
+<h1>PHP 8.4.21 Release Announcement</h1>
+
+<p>The PHP development team announces the immediate availability of PHP 8.4.21. This is a security release.</p>
+
+<p>All PHP 8.4 users are encouraged to upgrade to this version.</p>
+
+<p>For source downloads of PHP 8.4.21 please visit our <a href="https://www.php.net/downloads.php">downloads page</a>,
+Windows source and binaries can also be found <a href="https://www.php.net/downloads.php?os=windows&amp;version=8.4">there</a>.
+The list of changes is recorded in the <a href="https://www.php.net/ChangeLog-8.php#8.4.21">ChangeLog</a>.
+</p>
+<?php site_footer();