From the article: "Following a request for additional details from ZDNet, Groß said "the bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape" in order to run code on an underlying operating system."