Simple off-by-one issue, the application parses the Host header getting its length. Checks that length against the maximum size for the buffer its going to be copied into, copied the value over, and adds a null-byte to the end. WHen adding the null-byte if the string is the maximum size it can end up trying to add the null-byte one-byte out of bounds, leading to a off-by-one null write.

This turned out to be likely exploitable due to the heap metadata stored at the beginning of a free block, allowing that one byte write to overwrite the least significant bits of a pointer to the next free block (assuming the OOB write is into a previously allocated and now free block). That null-write should put the pointer it reads the next free block from into user-controlled memory, giving the attacker control of where the next allocation writes to. Similar to a House of Spirit type of primitive, but without the sanity checks to bypass.