diff --git a/NEWS b/NEWS
index fe70343e8398..4ace7d3dc462 100644
--- a/NEWS
+++ b/NEWS
@@ -99,6 +99,10 @@ PHP                                                                        NEWS
   . Added TLS session resumption support for streams with new context options
     and Openssl\Session class. (Jakub Zelenka)
 
+- PCNTL:
+  . pcntl_exec() now throws a ValueError if the $args array is not a list
+    array. (Weilin Du)
+
 - PDO_DBLIB;
   . Added dblib_handle_check_liveness handler. (freddy77)
 
diff --git a/UPGRADING b/UPGRADING
index fe44036383d0..d271eb47f7d1 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -37,6 +37,8 @@ PHP 8.6 UPGRADE NOTES
 - PCNTL:
   . pcntl_alarm() now raises a ValueError if the seconds argument is
     lower than zero or greater than platform's UINT_MAX.
+  . pcntl_exec() now raises a ValueError if the $args argument is not a list
+    array.
 
 - PCRE:
   . preg_grep() now returns false instead of a partial array when a PCRE
diff --git a/ext/opcache/jit/zend_jit_vm_helpers.c b/ext/opcache/jit/zend_jit_vm_helpers.c
index 1c7fb4073569..012edd194e31 100644
--- a/ext/opcache/jit/zend_jit_vm_helpers.c
+++ b/ext/opcache/jit/zend_jit_vm_helpers.c
@@ -1095,6 +1095,8 @@ zend_jit_trace_stop ZEND_FASTCALL zend_jit_trace_execute(zend_execute_data  *ex,
 			if (UNEXPECTED(!jit_extension)
 			 || UNEXPECTED(!(jit_extension->func_info.flags & ZEND_FUNC_JIT_ON_HOT_TRACE))) {
 				if (execute_data->prev_execute_data != prev_execute_data) {
+					stop = ZEND_JIT_TRACE_STOP_RETURN;
+				} else {
 					stop = ZEND_JIT_TRACE_STOP_INTERPRETER;
 				}
 				break;
diff --git a/ext/opcache/tests/jit/gh21746.inc b/ext/opcache/tests/jit/gh21746.inc
new file mode 100644
index 000000000000..b118625484d0
--- /dev/null
+++ b/ext/opcache/tests/jit/gh21746.inc
@@ -0,0 +1,16 @@
+<?php
+return function (mixed $in = null, array $options = []) {
+ $a = null;
+ $b = '';
+ $c = '';
+ $d = fn() => '';
+ $e = fn() => '';
+ $f = fn() => '';
+ $g = fn() => '';
+ return ''
+  .LR::p(null, '', null, [], '')
+  .LR::hbbch([null], $d)
+  .LR::hbbch([null], $e)
+  .LR::hbbch([null], $f)
+  .LR::hbbch([null], $g);
+};
diff --git a/ext/opcache/tests/jit/gh21746.phpt b/ext/opcache/tests/jit/gh21746.phpt
new file mode 100644
index 000000000000..29b3be778be7
--- /dev/null
+++ b/ext/opcache/tests/jit/gh21746.phpt
@@ -0,0 +1,112 @@
+--TEST--
+GH-21746: Segfault with tracing JIT on 2nd call of eval'd closure
+--CREDITS--
+theodorejb
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=tracing
+--FILE--
+<?php
+
+final class LR {
+    public static function p(mixed $cx, string $name, mixed $context, array $hash, string $indent): string {
+        try { $result = ''; } finally {}
+        $lines = explode("\n", $result);
+        foreach ($lines as $i => $_) { if ($i === 0) break; }
+        return $result;
+    }
+    public static function hbbch(array $positional, ?\Closure $cb): string {
+        if ($cb && is_array($positional[0] ?? null)) foreach ($positional[0] as $v) $cb($v);
+        return '';
+    }
+}
+
+$renderFile = __DIR__ . '/gh21746.inc';
+
+// prevent JITing $renderFile
+ini_set('opcache.file_update_protection', 100);
+touch($renderFile);
+
+$renderer = require $renderFile;
+
+for ($r = 0; $r < 70; $r++) {
+    echo "Render $r...";
+    $renderer();
+    echo "OK\n";
+}
+
+?>
+==DONE==
+--EXPECT--
+Render 0...OK
+Render 1...OK
+Render 2...OK
+Render 3...OK
+Render 4...OK
+Render 5...OK
+Render 6...OK
+Render 7...OK
+Render 8...OK
+Render 9...OK
+Render 10...OK
+Render 11...OK
+Render 12...OK
+Render 13...OK
+Render 14...OK
+Render 15...OK
+Render 16...OK
+Render 17...OK
+Render 18...OK
+Render 19...OK
+Render 20...OK
+Render 21...OK
+Render 22...OK
+Render 23...OK
+Render 24...OK
+Render 25...OK
+Render 26...OK
+Render 27...OK
+Render 28...OK
+Render 29...OK
+Render 30...OK
+Render 31...OK
+Render 32...OK
+Render 33...OK
+Render 34...OK
+Render 35...OK
+Render 36...OK
+Render 37...OK
+Render 38...OK
+Render 39...OK
+Render 40...OK
+Render 41...OK
+Render 42...OK
+Render 43...OK
+Render 44...OK
+Render 45...OK
+Render 46...OK
+Render 47...OK
+Render 48...OK
+Render 49...OK
+Render 50...OK
+Render 51...OK
+Render 52...OK
+Render 53...OK
+Render 54...OK
+Render 55...OK
+Render 56...OK
+Render 57...OK
+Render 58...OK
+Render 59...OK
+Render 60...OK
+Render 61...OK
+Render 62...OK
+Render 63...OK
+Render 64...OK
+Render 65...OK
+Render 66...OK
+Render 67...OK
+Render 68...OK
+Render 69...OK
+==DONE==
diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c
index e9453b21329e..2ba732c4540e 100644
--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@@ -675,7 +675,11 @@ PHP_FUNCTION(pcntl_exec)
 	ZEND_PARSE_PARAMETERS_END();
 
 	if (args != NULL) {
-		// TODO Check array is a list?
+		if (!zend_array_is_list(Z_ARRVAL_P(args))) {
+			zend_argument_value_error(2, "must be a list array");
+			RETURN_THROWS();
+		}
+
 		/* Build argument list */
 		SEPARATE_ARRAY(args);
 		const HashTable *args_ht = Z_ARRVAL_P(args);
diff --git a/ext/pcntl/tests/pcntl_exec_list_args.phpt b/ext/pcntl/tests/pcntl_exec_list_args.phpt
new file mode 100644
index 000000000000..5cd8c0fbe228
--- /dev/null
+++ b/ext/pcntl/tests/pcntl_exec_list_args.phpt
@@ -0,0 +1,14 @@
+--TEST--
+pcntl_exec(): Argument array must be a list
+--EXTENSIONS--
+pcntl
+--FILE--
+<?php
+try {
+    pcntl_exec('cmd', ['opt' => '-n']);
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+ValueError: pcntl_exec(): Argument #2 ($args) must be a list array