Impressive, but not surprising. Chrome isn't magical; ASLR and DEP have been bypassed in the past, and even if its own sandbox is perfect, the kernel it's sitting under is a huge attack surface.
ASLR and DEP, by and large, have nothing to do with the kernel. ASLR is a function of the binary loader and memory allocators, which are in userland. DEP is a function of userland memory protection flags (they're handled on the bare metal by the kernel, but the kernel just sets what it's told to by the userland). I'd put any amount of money down on the table that there is no kernel vulnerability here at all -- if there was one, I assure you that it'd be more than a Chrome vuln.
I know; my comments about ASLR/DEP and the kernel were intended to be separate. As for whether there's a kernel vulnerability, I'll defer to you (although it doesn't have to be full-fledged arbitrary code execution; it can just be a system call that's lax about security tokens), but in general the breadth of kernel code the renderers can access is pretty large.
