"Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"
I think what they're trying to say is that Polkit has different AAA rules than sudo does, which you might not expect. So, gain mastery of Polkit and all the other new *Kits and systemd and whatnot if you expect to be able to run a secure server.
Even if they are publicity whoring and trying to get the press excited about a "Christmas-themed" vulnerability (I was waiting for "Redhat added PolKit and you won't believe what happened next..."), there's a kernel of truth in there that's worth knowing about.
And, yeah, I wouldn't expect a CVE to be issued.