I noticed recently that vTaskSetThreadLocalStoragePointer (current version in github) can write out of bounds if it is called with xTaskToSet is NULL and the scheduler hasn’t yet been started.
In that case prvGetTCBFromHandle will return NULL, which isn’t checked for. Then that NULL is used as a TCB_t and indexed: pxTCB->pvThreadLocalStoragePointers[ xIndex ] = pvValue;
This didn’t cause an immediate crash or hard fault but (since the address it attempted to write to was in flash) caused a flash programming error flag to be set that caused me problems later. This is on an STM32L451RE microcontroller.
I realise that I shouldn’t have called it before starting the scheduler, but it would have been nice to get a configASSERT instead of it silently scribbling on some random memory.