I don't have absolute proof yet, but I'm 90% certain that the carrier LWM2M (0.8.1+build1) has a memory leak when used with a +CEREG notification level higher than it is expecting.
I know the carrier library defaults to one of the lower CEREG notification levels. What I suspect is that if the application increases it by sending AT+CEREG=5, then every time a +CEREG notification shows up the carrier library is failing to free the memory allocations for all of the at_params items.
Our application has a memory leak that only exists only when the carrier LWM2M is compiled in. I have debugging code into the Zephyr mempool subsystem to count how many allocations are outstanding, and I can see the baseline go up by 2 around the time of each CEREG notification. I have shims around every alloc/free operation from within our application code, and have convinced myself that the leak is not internal to us. It is coming from somewhere in the wider NCS ecosystem (a NRF or Zephyr library).
Lastly, I noticed the bit in lwm2m_os.c function at_params_list_translate() where the carrier library steals at_params allocations with the expectation that it will free them internally later. I'm highly suspicious that you're not doing that properly in this case.
I'm still investigating and will provide better proof when I get it, but I would like if someone who has access to the carrier LWM2M source code could do a quick code review of this one thing?
