The IPC RPMessage internal heap logic is hard-coded to deal with 512 bytes of buffers (which is the rpmsg vring transport buffer size) but this is not sufficiently sized to properly deal with 496 bytes of payload, the max data payload with rpmsg transport with enqueing of Rx messages.

The RPMessage_enque function allocates from the same heap using the data payload (msg->dataLen) + sizeof(RPMessage_MsgElem). The RPMessage_MsgElem can either be of size 20 bytes (on 32-bit processors) or 28 bytes (on 64-bit processors), and this is larger than the rpmsg header itself which is just 16-bytes.