TP‑Link RCE + Chrome zero‑days

TP‑Link assigned CVE‑2026‑1457 to the VIGI C385 — an authenticated buffer‑handling flaw that can lead to remote code execution — and published an advisory and firmware update on Jan. 29, 2026. (tp-link.com) A public proof‑of‑concept and technical writeups for CVE‑2026‑1457 appeared on GitHub and in vulnerability trackers showing an authenticated LAN attacker can trigger a stack‑based overflow that could yield root access on affected cameras. (github.com) TP‑Link published firmware fixes on March 13, 2026 for an authenticated command‑injection tracked as CVE‑2026‑3227 that affects TL‑WR802N v4, TL‑WR841N v14 and TL‑WR840N v6; the vendor’s support pages list the patched builds. (tp-link.com) The U.S. Cybersecurity and Infrastructure Security Agency has repeatedly flagged TP‑Link router flaws in its Known Exploited Vulnerabilities catalog and issued advisories tying multiple TP‑Link issues to active exploitation. (cisa.gov) Google pushed emergency Chrome 146 updates in mid‑March to close two zero‑days — CVE‑2026‑3909 (an out‑of‑bounds write in the Skia graphics library) and CVE‑2026‑3910 (an inappropriate implementation in the V8 engine) — both reported as exploited in the wild. (securityweek.com) Because the bugs live in Chromium components, other Chromium‑based browsers issued updates (Microsoft released Edge 146.0.3856.62 to address the same problem), and Google said it would withhold full technical details until the fixes reached a majority of users. (threatprotect.qualys.com) TP‑Link’s support/download pages host the specific firmware images for the patched VIGI and TL‑WR models, and Google’s stable‑channel notes list the Chrome 146 build numbers (146.0.7680.75/76) pushed around March 12–13, 2026. (tp-link.com)