自 2025 年 3 月 27 日起,我们建议您使用 android-latest-release
而非 aosp-main
构建 AOSP 并为其做出贡献。如需了解详情,请参阅 AOSP 的变更。
Wear OS 安全公告 - 2025 年 3 月
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
发布时间:2025 年 3 月 3 日
Wear OS 安全公告详细介绍了会影响 Wear OS 平台的安全漏洞。完整的 Wear OS 更新包含 2025 年 3 月 Android 安全公告中涵盖的 2025-03-05 或更高的安全补丁级别,以及本公告中的所有问题。
建议所有用户都在自己的设备上接受这些更新。
这些问题中危险性最高的是系统组件中的一个严重程度为“高”的安全漏洞,可能会导致本地提权,而无需额外的执行特权。严重程度评估的依据是漏洞被利用后可能会对受影响的设备造成的影响(假设相关平台和服务缓解措施被成功规避或出于开发目的而被停用)。
通告
-
除了 2025 年 3 月的 Android 安全公告中所述的安全漏洞外,2025 年 3 月 Wear OS 安全公告还包含专门针对下述 Wear OS 漏洞的补丁。
2025-03-01 安全补丁级别漏洞详情
我们在下面提供了 2025-03-01 补丁级别涵盖的每个安全漏洞的详细信息,漏洞按照其影响的组件进行分类,具体问题会在以下表格中说明,包括 CVE ID、相关参考编号、漏洞类型、严重程度和已更新的 AOSP 版本(若有)。
如果有解决相应问题的公开更改记录(例如 AOSP 代码更改列表),我们会将 bug ID 链接到该记录。
如果某个 bug 有多条相关的代码更改记录,我们还会通过 bug ID 后面的数字链接到更多参考内容。
搭载 Android 10 及更高版本的设备可能会收到安全更新以及 Google Play 系统更新。
系统
这一部分中最严重的漏洞可导致权限在远程升级,而无需额外的执行权限。
CVE |
参考编号 |
类型 |
严重程度 |
AOSP 版本 |
CVE-2025-22414
|
A-286591853
|
EoP |
高 |
13, 14 |
CVE-2025-22415
|
A-380885358
|
EoP |
高 |
13, 14 |
常见问题和解答
这一部分解答了用户在阅读本公告后可能会提出的常见问题。
1. 如何确定我的设备是否已通过更新解决这些问题?
如需了解如何查看设备的安全补丁级别,请参阅 Google 设备更新时间表中的说明。
- 如果安全补丁级别是 2025-03-01 或更新,则意味着已解决 2025-03-01 安全补丁级别涵盖的所有问题。
预装这些更新的设备制造商应将补丁字符串级别设为:
- [ro.build.version.security_patch]:[2025-03-01]
对于某些搭载 Android 10 或更高版本的设备,Google Play 系统更新的日期字符串将与 2025-03-01 安全补丁级别一致。如需详细了解如何安装安全更新,请查看这篇文章。
2. “类型”列中的条目表示什么意思?
在漏洞详情表内,“类型”列中的条目是安全漏洞的分类。
缩写词 |
定义 |
RCE |
远程代码执行 |
EoP |
提权 |
ID |
信息披露 |
DoS |
拒绝服务攻击 |
不适用 |
没有分类 |
3. “参考编号”列中的条目表示什么意思?
在漏洞详情表内,“参考编号”列中的条目可能包含用于标识参考编号值所属组织的前缀。
前缀 |
参考编号 |
A- |
Android bug ID |
QC- |
Qualcomm 参考编号 |
M- |
MediaTek 参考编号 |
N- |
NVIDIA 参考编号 |
B- |
Broadcom 参考编号 |
U- |
UNISOC 参考编号 |
4. 在“参考编号”列中,Android bug ID 旁边的 * 表示什么意思?
如果问题尚未公开发布,在“参考编号”列中,相应 Android bug ID 旁边就会显示 *。Google Developers 网站上针对 Pixel 设备提供的最新二进制驱动程序中通常包含旨在解决相应问题的更新。
5. 为什么将安全漏洞拆分到本公告和设备 /合作伙伴安全公告(如 Pixel 公告)中?
若要在 Android 设备上声明最新的安全补丁级别,必须修复本安全公告中记录的安全漏洞。但在声明安全补丁级别时,并不是必须修复设备/ 合作伙伴安全公告中记录的其他安全漏洞。Android 设备和芯片组制造商可能也会发布针对其产品的安全漏洞详情,例如:Google、Huawei、LGE、Motorola、Nokia或Samsung。
版本
版本 |
日期 |
备注 |
1.0 |
2025 年 3 月 3 日 |
发布了本公告 |
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-12。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["没有我需要的信息","missingTheInformationINeed","thumb-down"],["太复杂/步骤太多","tooComplicatedTooManySteps","thumb-down"],["内容需要更新","outOfDate","thumb-down"],["翻译问题","translationIssue","thumb-down"],["示例/代码问题","samplesCodeIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-12。"],[],[],null,["# Wear OS Security Bulletin—March 2025\n\n*Published March 3, 2025*\n\n\nThe Wear OS Security Bulletin contains details of security vulnerabilities\naffecting the Wear OS platform.\nThe full Wear OS update comprises the security patch level of 2025-03-05 or\nlater from the [March 2025 Android Security Bulletin](/security/bulletin/2025-03-01) in addition to all\nissues in this bulletin.\n\n\nWe encourage all customers to accept these updates to their devices.\n| **Note**: Please contact your device supplier for device firmware images.\n\n\nThe most severe of these issues is a high security vulnerability in the\nSystem component that could lead to local escalation of privilege with no\nadditional execution privileges needed.\nThe [severity assessment](/security/overview/updates-resources#severity) is based on the effect that\nexploiting the vulnerability would possibly have on an affected device,\nassuming the platform and service mitigations are turned off for development\npurposes or if successfully bypassed.\n\nAnnouncements\n-------------\n\n- In addition to the security vulnerabilities described in the March 2025 Android Security Bulletin, the March 2025 Wear OS Security Bulletin also contains patches specifically for Wear OS vulnerabilities as described below.\n\n2025-03-01\nsecurity patch level vulnerability details\n-----------------------------------------------------\n\n\nIn the sections below, we provide details for each of the security\nvulnerabilities that apply to the 2025-03-01 patch level.\nVulnerabilities are grouped under the component they affect.\nIssues are described in the tables below and include CVE ID, associated\nreferences, [type of vulnerability](#type),\n[severity](/security/overview/updates-resources#severity),\nand updated AOSP versions (where applicable).\nWhen available, we link the public change that addressed the issue to the\nbug ID, like the AOSP change list.\nWhen multiple changes relate to a single bug, additional references are\nlinked to numbers following the bug ID.\nDevices with Android 10 and later may receive security updates as well as\n[Google Play\nsystem updates](https://support.google.com/android/answer/7680439?).\n\n### System\n\nThe most severe vulnerability in this section could lead to local\nescalation of privilege with no additional execution privileges needed.\n\n| CVE | References | Type | Severity | AOSP versions |\n|----------------|-------------|------|----------|---------------|\n| CVE-2025-22414 | A-286591853 | EoP | High | 13, 14 |\n| CVE-2025-22415 | A-380885358 | EoP | High | 13, 14 |\n\nCommon questions and answers\n----------------------------\n\nThis section answers common questions that may occur after reading this\nbulletin.\n\n**1. How do I determine if my device is updated to address these\nissues?**\n\nTo learn how to check a device's security patch level, read the instructions on the\n[Google device update schedule](https://support.google.com/android/answer/7680439).\n\n- Security patch levels of 2025-03-01 or later address all issues associated with the 2025-03-01 security patch level.\n\nDevice manufacturers that include these updates should set the patch string\nlevel to:\n\n- \\[ro.build.version.security_patch\\]:\\[2025-03-01\\]\n\nFor some devices on Android 10 or later, the Google Play system update\nwill have a date string that matches the 2025-03-01\nsecurity patch level.\nPlease see [this article](https://support.google.com/android/answer/7680439) for more details on\nhow to install\nsecurity updates.\n\n\n**2. What do the entries in the *Type* column mean?**\n\nEntries in the *Type* column of the vulnerability details table\nreference the classification of the security vulnerability.\n\n| Abbreviation | Definition |\n|--------------|------------------------------|\n| RCE | Remote code execution |\n| EoP | Elevation of privilege |\n| ID | Information disclosure |\n| DoS | Denial of service |\n| N/A | Classification not available |\n\n\n**3. What do the entries in the *References* column mean?**\n\nEntries under the *References* column of the vulnerability details\ntable may contain a prefix identifying the organization to which the reference\nvalue belongs.\n\n| Prefix | Reference |\n|--------|---------------------------|\n| A- | Android bug ID |\n| QC- | Qualcomm reference number |\n| M- | MediaTek reference number |\n| N- | NVIDIA reference number |\n| B- | Broadcom reference number |\n| U- | UNISOC reference number |\n\n\n**4. What does an \\* next to the Android bug ID in the *References*\ncolumn mean?**\n\nIssues that are not publicly available have an \\* next to the corresponding\nreference ID. The update for that issue is generally contained in the latest\nbinary drivers for Pixel devices available from the\n[Google Developer site](https://developers.google.com/android/drivers).\n\n**5. Why are security vulnerabilities split between this bulletin and\ndevice / partner security bulletins, such as the\nPixel bulletin?**\n\nSecurity vulnerabilities that are documented in this security bulletin are\nrequired to declare the latest security patch level on Android\ndevices. Additional security vulnerabilities that are documented in the\ndevice / partner security bulletins are not required for\ndeclaring a security patch level. Android device and chipset manufacturers\nmay also publish security vulnerability details specific to their products,\nsuch as\n[Google](/security/bulletin/pixel),\n[Huawei](https://consumer.huawei.com/en/support/bulletin/),\n[LGE](https://lgsecurity.lge.com/security_updates_mobile.html),\n[Motorola](https://motorola-global-portal.custhelp.com/app/software-security-page/g_id/6806),\n[Nokia](https://www.nokia.com/phones/en_int/security-updates), or\n[Samsung](https://security.samsungmobile.com/securityUpdate.smsb).\n\nVersions\n--------\n\n| Version | Date | Notes |\n|---------|---------------|--------------------|\n| 1.0 | March 3, 2025 | Bulletin published |"]]