348
Microsoft waited 6 months to patch actively exploited admin-to-kernel vulnerability
(www.theregister.com)
This is a most excellent place for technology news and articles.
The package manager doesn't have special permission. The new kernel you download is also signed for you and trusted by your system.
If it wasn't trusted, would the next time you boot the kernel won't load because the bootloader will refuse to load the unsigned code.