Rating: 5.0
Null byte overflow in glibc 2.29.
Use the null byte overflow to change a chunk's size after it's already been freed, which allows you to free it again into a different tcache bin.
Use this as a double free, then do a tcache poisoning attack to overwrite `__free_hook` with `system` for RCE.
