I'm confused on this point. The text you quote implies that they were able to build an exploit, but the text quoted in the parent comment implies that they were not.
What were they actually able to do and not do? I got confused by this when reading the article as well.
They successfully built local privilege escalation exploits (from several bugs each), and found other remotely-accessible bugs, but were not able chain their remote bugs to make remotely-accessible exploits.
What were they actually able to do and not do? I got confused by this when reading the article as well.