How practical is it for the flaw to be actually exploited in the scary way it's been portrayed?
Eg Javascript in a browser stealing user credentials.
Where's the proof of concept?
Does the kernel even store user credentials in memory after the user's logged on?