Direct remote privilege escalation exploits in kernels are relatively rare.

The usual attack path is exploiting an application bug for local user access, followed by a local privilege escalation.