diff --git a/src/binary-exploitation/libc-heap/README.md b/src/binary-exploitation/libc-heap/README.md
index 8606e46d5f5..6cb9d4f73ab 100644
--- a/src/binary-exploitation/libc-heap/README.md
+++ b/src/binary-exploitation/libc-heap/README.md
@@ -535,10 +535,28 @@ Study allocator-specific primitives derived from real-world bugs:
 virtualbox-slirp-nat-packet-heap-exploitation.md
 {{#endref}}
 
+## musl mallocng exploitation notes (Alpine)
+
+- **Slab group/slot grooming for huge linear copies:** mallocng sizeclasses use mmap()'d groups whose slots are fully `munmap()`'d when empty. For long linear copies (~0x15555555 bytes), keep the span mapped (avoid holes from released groups) and place the victim allocation adjacent to the source slot.
+- **Cycling offset mitigation:** On slot reuse mallocng may advance the user-data start by `UNIT` (0x10) multiples when slack fits an extra 4-byte header. This shifts overwrite offsets (e.g., LSB pointer hits) unless you control reuse counts or stick to strides without slack (e.g., Lua `Table` objects at stride 0x50 show offset 0). Inspect offsets with muslheap’s `mchunkinfo`:
+
+```gdb
+pwndbg> mchunkinfo 0x7ffff7a94e40
+... stride: 0x140
+... cycling offset : 0x1 (userdata --> 0x7ffff7a94e40)
+```
+
+- **Prefer runtime-object corruption over allocator metadata:** mallocng mixes cookies/guarded out-of-band metadata, so target higher-level objects. In Redis’s Lua 5.1, `Table->array` points to an array of `TValue` tagged values; overwriting the LSB of a pointer in `TValue->value` (e.g., with the JSON terminator byte `0x22`) can pivot references without touching malloc metadata.
+- **Debugging stripped/static Lua on Alpine:** Build a matching Lua, list symbols with `readelf -Ws`, strip function symbols via `objcopy --strip-symbol` to expose struct layouts in GDB, then use Lua-aware pretty-printers (GdbLuaExtension for Lua 5.1) plus muslheap to check stride/reserved/cycling-offset values before triggering the overflow.
+
 ## References
 
 - [https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/](https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/)
 - [https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/)
+- [Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap](https://www.nccgroup.com/research-blog/pumping-iron-on-the-musl-heap-real-world-cve-2022-24834-exploitation-on-an-alpine-mallocng-heap/)
+- [musl mallocng enframe (v1.2.4)](https://git.musl-libc.org/cgit/musl/tree/src/malloc/mallocng/meta.h?h=v1.2.4#n196)
+- [muslheap GDB plugin](https://github.com/xf1les/muslheap)
+- [GdbLuaExtension (Lua 5.1 support)](https://github.com/fidgetingbits/GdbLuaExtension)
 
 
 {{#include ../../banners/hacktricks-training.md}}