Starting March 27, 2025, we recommend using android-latest-release instead of aosp-main to build and contribute to AOSP. For more information, see Changes to AOSP.
Stay organized with collections
Save and categorize content based on your preferences.
Published August 7, 2023
The Wear OS Security Bulletin contains details of security vulnerabilities affecting the Wear OS platform.
The full Wear OS update comprises the security patch level of 2023-08-05 or later from the August 2023 Android Security Bulletin in addition to all issues in this bulletin.
We encourage all customers to accept these updates to their devices.
The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.
Announcements
In addition to the security vulnerabilities described in the August 2023 Android Security Bulletin, the August 2023 Wear OS Security Bulletin also contains patches specifically for Wear OS vulnerabilities as described below.
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2023-08-01 patch level.
Vulnerabilities are grouped under the component they affect.
Issues are described in the tables below and include CVE ID, associated
references, type of vulnerability,
severity,
and updated AOSP versions (where applicable).
When available, we link the public change that addressed the issue to the
bug ID, like the AOSP change list.
When multiple changes relate to a single bug, additional references are
linked to numbers following the bug ID.
Devices with Android 10 and later may receive security updates as well as
Google Play
system updates.
Framework
The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE
References
Type
Severity
Updated AOSP versions
CVE-2023-21229
A-265431830
EoP
High
11, 13
Platform
The vulnerability in this section could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE
References
Type
Severity
Updated AOSP versions
CVE-2023-21230
A-191680486
ID
High
11, 13
System
The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE
References
Type
Severity
Updated AOSP versions
CVE-2023-21231
A-187307530
EoP
High
13
CVE-2023-21234
A-260859883
EoP
High
11, 13
CVE-2023-21235
A-133761964
EoP
High
11, 13
CVE-2023-35689
A-265474852
EoP
High
11, 13
CVE-2023-21232
A-267251033
ID
High
11, 13
CVE-2023-21233
A-261073851
ID
High
11
Common questions and answers
This section answers common questions that may occur after reading this
bulletin.
1. How do I determine if my device is updated to address these
issues?
Security patch levels of 2023-08-01 or later address
all issues associated with the 2023-08-01 security patch
level.
For some devices on Android 10 or later, the Google Play system update
will have a date string that matches the 2023-08-01
security patch level.
Please see this article for more details on how to install
security updates.
2. What do the entries in the Type column mean?
Entries in the Type column of the vulnerability details table
reference the classification of the security vulnerability.
Abbreviation
Definition
RCE
Remote code execution
EoP
Elevation of privilege
ID
Information disclosure
DoS
Denial of service
N/A
Classification not available
3. What do the entries in the References column mean?
Entries under the References column of the vulnerability details
table may contain a prefix identifying the organization to which the reference
value belongs.
Prefix
Reference
A-
Android bug ID
QC-
Qualcomm reference number
M-
MediaTek reference number
N-
NVIDIA reference number
B-
Broadcom reference number
U-
UNISOC reference number
Versions
Version
Date
Notes
1.0
August 7, 2023
Bulletin Published
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2024-08-26 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-08-26 UTC."],[],[],null,["# Wear OS Security Bulletin—August 2023\n\n*Published August 7, 2023*\n\n\nThe Wear OS Security Bulletin contains details of security vulnerabilities affecting the Wear OS platform.\nThe full Wear OS update comprises the security patch level of 2023-08-05 or later from the [August 2023 Android Security Bulletin](/docs/security/bulletin/2023-08-01) in addition to all issues in this bulletin.\n\n\nWe encourage all customers to accept these updates to their devices.\n| **Note**: Please contact your device supplier for device firmware images.\n\n\nThe most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\nThe [severity assessment](/docs/security/overview/updates-resources#severity) is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.\n\nAnnouncements\n-------------\n\n- In addition to the security vulnerabilities described in the August 2023 Android Security Bulletin, the August 2023 Wear OS Security Bulletin also contains patches specifically for Wear OS vulnerabilities as described below.\n\n2023-08-01 security patch level vulnerability details\n-----------------------------------------------------\n\n\nIn the sections below, we provide details for each of the security\nvulnerabilities that apply to the 2023-08-01 patch level.\nVulnerabilities are grouped under the component they affect.\nIssues are described in the tables below and include CVE ID, associated\nreferences, [type of vulnerability](#type),\n[severity](/security/overview/updates-resources#severity),\nand updated AOSP versions (where applicable).\nWhen available, we link the public change that addressed the issue to the\nbug ID, like the AOSP change list.\nWhen multiple changes relate to a single bug, additional references are\nlinked to numbers following the bug ID.\nDevices with Android 10 and later may receive security updates as well as\n[Google Play\nsystem updates](https://support.google.com/android/answer/7680439?).\n\n### Framework\n\nThe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n| CVE | References | Type | Severity | Updated AOSP versions |\n|----------------|-------------|------|----------|-----------------------|\n| CVE-2023-21229 | A-265431830 | EoP | High | 11, 13 |\n\n### Platform\n\nThe vulnerability in this section could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n| CVE | References | Type | Severity | Updated AOSP versions |\n|----------------|-------------|------|----------|-----------------------|\n| CVE-2023-21230 | A-191680486 | ID | High | 11, 13 |\n\n### System\n\nThe most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n| CVE | References | Type | Severity | Updated AOSP versions |\n|----------------|-------------|------|----------|-----------------------|\n| CVE-2023-21231 | A-187307530 | EoP | High | 13 |\n| CVE-2023-21234 | A-260859883 | EoP | High | 11, 13 |\n| CVE-2023-21235 | A-133761964 | EoP | High | 11, 13 |\n| CVE-2023-35689 | A-265474852 | EoP | High | 11, 13 |\n| CVE-2023-21232 | A-267251033 | ID | High | 11, 13 |\n| CVE-2023-21233 | A-261073851 | ID | High | 11 |\n\nCommon questions and answers\n----------------------------\n\nThis section answers common questions that may occur after reading this\nbulletin.\n\n**1. How do I determine if my device is updated to address these\nissues?**\n\nTo learn how to check a device's security patch level, read the instructions on the\n[Google device update schedule](https://support.google.com/googlepixelwatch/answer/13044412?hl=en&sjid=10776994459739913003-NA#zippy=%2Cupdate-your-pixel-watch).\n\n- Security patch levels of 2023-08-01 or later address all issues associated with the 2023-08-01 security patch level.\n\nFor some devices on Android 10 or later, the Google Play system update\nwill have a date string that matches the 2023-08-01\nsecurity patch level.\nPlease see [this article](https://support.google.com/android/answer/7680439?hl=en) for more details on how to install\nsecurity updates.\n\n\n**2. What do the entries in the *Type* column mean?**\n\nEntries in the *Type* column of the vulnerability details table\nreference the classification of the security vulnerability.\n\n| Abbreviation | Definition |\n|--------------|------------------------------|\n| RCE | Remote code execution |\n| EoP | Elevation of privilege |\n| ID | Information disclosure |\n| DoS | Denial of service |\n| N/A | Classification not available |\n\n\n**3. What do the entries in the *References* column mean?**\n\nEntries under the *References* column of the vulnerability details\ntable may contain a prefix identifying the organization to which the reference\nvalue belongs.\n\n| Prefix | Reference |\n|--------|---------------------------|\n| A- | Android bug ID |\n| QC- | Qualcomm reference number |\n| M- | MediaTek reference number |\n| N- | NVIDIA reference number |\n| B- | Broadcom reference number |\n| U- | UNISOC reference number |\n\nVersions\n--------\n\n| Version | Date | Notes |\n|---------|----------------|--------------------|\n| 1.0 | August 7, 2023 | Bulletin Published |"]]