The unlink and double-free primitives you are tracing here drove real glibc CVEs and pushed the allocator team to add safe-unlinking checks and safe-linking pointer mangling in glibc 2.32+; browser exploit chains (V8, WebKit heap sprays) use the same use-after-free-to-arbitrary-write pattern against JavaScript engines. how2heap on GitHub is the canonical hands-on reference for these exact techniques.