This attack is basically the forging chunks attack for small and large bins. However, due to an added protection for large bins in around 2007 (the introduction of fd_nextsize and bk_nextsize) it became impractical. Here we shall see the case only for small bins. First, a small chunk will be placed in a small bin. It's bk pointer will be overwritten to point to a fake small chunk. Note that in the case of small bins, insertion happens at the HEAD and removal at the TAIL. A malloc call will first remove the authentic chunk from the bin making the attacker's fake chunk at the TAIL of the bin. The next malloc will return the attacker's chunk.