Android Security Bulletins are very commonly misinterpreted as being Android's monthly security patches. They're actually backports of most High and Critical severity patches to older releases of Android: 12, 12L, 13, 14 and 15. Yes, Android 15 is an older release of Android.
March security bulletin lists 2 vulnerabilities as actively exploited in the wild:
https://source.android.com/docs/security/bulletin/2025-03-01
CVE-2024-43093 patch was in Android 15 QPR1 released in December. It's just being backported now.
CVE-2024-50302 doesn't impact GrapheneOS due to our exploit protections.
Discussion
Thank you for this little accessible explanation! I still have problems grasping which Android update (where I mean "update" in a very general sense) means whar exactly. There are so many, the ASP, AOSP releases, Pixel specific ones... a comprehensive table would be so helpful!
"Android 15 is an older release of Android" because the most current QPR is treated as the most current Android?