If you think that's bad, you should look at Linux kernel CVEs. They're basically gone rogue when it comes to CVEs. Every minor bug gets flagged as a CVE, regardless of impact. Often, exploitation requires root access. If you have root, you've already won and can do whatever the hell you want. No need to exploit a bug to cause problems.