Some pwn demos (I found this in tcache linked list, more may be susceptible) crash due to malloc misalignment. i.e. in that particular case, the target variable does not have an address divisible by 0x10. We can see how how2heap handles this:

	size_t stack_var[0x10];
	size_t *target = NULL;

	// choose a properly aligned target address
	for(int i=0; i<0x10; i++) {
		if(((long)&stack_var[i] & 0xf) == 0) {
			target = &stack_var[i];
			break;
		}
	}

here: https://github.com/shellphish/how2heap/blob/master/glibc_2.35/tcache_poisoning.c