FireEye wrote in a blog post that the exploit involves a race condition in the shader class, in which “asynchronously modifying the width/height of a shader object while starting a shader job will result in a memory corruption vulnerability.”
Once it is determined that a target is vulnerable, a vector of length 0x400 is filled with vectors of length 0xA6. After this point, a ShaderJob is created with a set width of 0. Once a ShaderJob is started, its width is set to 0x25E. Then, an attacker must wait 0x12C before continuing, and the series of steps is repeated to find one whose length is not 0xA6 or 0xA6*2. This corrupted vector can be used for out-of-bounds memory accesses.
After corruption, the attackers use a control-flow transfer to themselves.