tyler_sorensen

This sentence is wrong and it makes the vulnerability seem less severe than it is:

The vulnerability requires access to a user's device, it can't be done remotely.

It doesn't require access to the device. The attack can be executed from a malicious app. The blog post states:

This is a co-resident exploit, meaning that a threat actor’s avenue of attack could be implemented as another application, app, or user on a shared machine. The attacker only requires the ability to run GPU compute applications, e.g., through OpenCL, Vulkan, or Metal. These frameworks are well-supported and typically do not require escalated privileges.

It is still not trivial to exploit (apps need to be run at the same time), but certainly doesn't require physical access.