That doesn't matter - if the exploit "allows kernel-level access" then the HBMenu itself would run at kernel level.the launcher is, not the exploit.
The question will still remain even if weaker until sources of the exploit are released.
My guess is that Cubic Ninja developers simply f*cked up, which does happen quite often, and allocated more memory than they would ever possibly need, leaving plenty of space for your own binary. Of course this is all speculation, I don't dabble in this sort of thing.You still can't execute your own code though.
I'm talking about a different level of protection, memory protection.
It doesn't get write access to executable regions of memory, and there's no access to setting memory to be executable either. So there should be no way to actually execute your own code even if you can load it without a kernel exploit.