As explained here, free chunk contain the location of the next free chunk, the forward pointer. This mean that if chunk a points to chunk b, once chunk ais allocated, the next chunk of this size to be allocated will be the chunk b.

A double free attack attempt to control the forward pointer.

By overwriting the forward pointer with an arbitrary memory address, the next malloc() will allocate this arbitrary location.

How it works ?

When a chunk is freed, it's pushed onto the bin

There is what happen when the same chunk was freed twice.

char *a = malloc(0x20);
free(a);
free(a);

$ ./test
free(): double free detected in tcache 2
Aborted

What happens if a malloc() with the same size is called again ?

The chunk a is now both allocated and free at the same time.

It's mean that user data written into the chunk will be placed at the same place that the forward and backward pointers

A user can so write an arbitrary address that will be used as forward pointer and then the next malloc will allocate an arbitray chunk position and so give an arbitrary write !