diff --git a/NEWS b/NEWS
index 5453a5fc094f..fd17715973a8 100644
--- a/NEWS
+++ b/NEWS
@@ -186,6 +186,8 @@ PHP                                                                        NEWS
     (Weilin Du)
   . getenv() and putenv() now raises a ValueError when the first argument
     contains null bytes. (Weilin Du)
+  . proc_open() now raises a ValueError when the $cwd argument contains
+    null bytes. (Weilin Du)
 
 - Streams:
   . Added so_keepalive, tcp_keepidle, tcp_keepintvl and tcp_keepcnt stream
diff --git a/UPGRADING b/UPGRADING
index e55e03be48b9..088f5b620bd4 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -102,6 +102,8 @@ PHP 8.6 UPGRADE NOTES
     argument value is passed.
   . scandir() now raises a ValueError when an invalid $sorting_order
     argument value is passed.
+  . proc_open() now raises a ValueError when the $cwd argument contains
+    null bytes.
 
 - Zip:
   . ZipArchive::extractTo now raises a TypeError for the
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index f016a313f2e8..f865c101aede 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -170,18 +170,18 @@ static void spl_fixedarray_resize(spl_fixedarray *array, zend_long size)
 		return;
 	}
 
-	/* first initialization */
-	if (array->size == 0) {
-		spl_fixedarray_init(array, size);
-		return;
-	}
-
 	if (UNEXPECTED(array->cached_resize >= 0)) {
 		/* We're already resizing, so just remember the desired size.
 		 * The resize will happen later. */
 		array->cached_resize = size;
 		return;
 	}
+	/* first initialization */
+	if (array->size == 0) {
+		spl_fixedarray_init(array, size);
+		return;
+	}
+
 	array->cached_resize = size;
 
 	/* clearing the array */
diff --git a/ext/spl/tests/SplFixedArray_setSize_destruct_grow_during_clear.phpt b/ext/spl/tests/SplFixedArray_setSize_destruct_grow_during_clear.phpt
new file mode 100644
index 000000000000..f0982364afa8
--- /dev/null
+++ b/ext/spl/tests/SplFixedArray_setSize_destruct_grow_during_clear.phpt
@@ -0,0 +1,28 @@
+--TEST--
+SplFixedArray::setSize: grow re-entrantly during clear (setSize(0))
+--FILE--
+<?php
+class Reentrant {
+    public ?SplFixedArray $arr = null;
+    public function __destruct() {
+        if ($this->arr !== null) {
+            $this->arr->setSize(5);
+        }
+    }
+}
+
+$arr = new SplFixedArray(2);
+$r = new Reentrant();
+$r->arr = $arr;
+$arr[0] = $r;
+unset($r);
+$arr[1] = "tail";
+
+$arr->setSize(0);
+echo "size: ", $arr->getSize(), "\n";
+$arr[0] = "ok";
+var_dump($arr[0]);
+?>
+--EXPECT--
+size: 5
+string(2) "ok"
diff --git a/ext/standard/proc_open.c b/ext/standard/proc_open.c
index edccbeae5646..111111406799 100644
--- a/ext/standard/proc_open.c
+++ b/ext/standard/proc_open.c
@@ -1240,7 +1240,7 @@ PHP_FUNCTION(proc_open)
 		Z_PARAM_ARRAY_HT(descriptorspec)
 		Z_PARAM_ZVAL(pipes)
 		Z_PARAM_OPTIONAL
-		Z_PARAM_STRING_OR_NULL(cwd, cwd_len)
+		Z_PARAM_PATH_OR_NULL(cwd, cwd_len)
 		Z_PARAM_ARRAY_HT_OR_NULL(environment)
 		Z_PARAM_ARRAY_OR_NULL(other_options)
 	ZEND_PARSE_PARAMETERS_END();
diff --git a/ext/standard/tests/general_functions/proc_open_cwd_null_bytes.phpt b/ext/standard/tests/general_functions/proc_open_cwd_null_bytes.phpt
new file mode 100644
index 000000000000..faa86c824177
--- /dev/null
+++ b/ext/standard/tests/general_functions/proc_open_cwd_null_bytes.phpt
@@ -0,0 +1,18 @@
+--TEST--
+proc_open() rejects null bytes in cwd
+--SKIPIF--
+<?php
+if (!function_exists("proc_open")) echo "skip proc_open() is not available";
+?>
+--FILE--
+<?php
+
+try {
+    proc_open("does_not_matter", [], $pipes, "foo\0bar");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+proc_open(): Argument #4 ($cwd) must not contain any null bytes