Specifically, it leaks a kernel address inside a security-sensitive structure, which is supposed to be unpredictable / unknowable because the layout of kernel memory is randomized.
If you have another exploit that will write bytes under the attacker’s control to an attacker-supplied kernel address, you will be able to do the Windows equivalent of escalate to root.
If you have another exploit that will write bytes under the attacker’s control to an attacker-supplied kernel address, you will be able to do the Windows equivalent of escalate to root.