[Yaffs] strange OOB "corruption"

After using Yaffs2 without any problems during months, some of our
products start to have a strange behavior :

Some of the blocks are corrupted outside Yaffs state machine (data is lost)
I can't reproduce the issue from now but I can get some Nand raw dump.
Analyzing them, I extracted some strange OOB for these "fake" bad
blocks, here is the extracted OOB (of first page on concerned block) :

00000000 13 14 3f d4 00 00 2b 01 00 00 03 00 00 00 00 08
|..?...+.........|
00000010 00 00 0f 00 00 00 08 00 00 00 08 00 00 00 2d e9
|..............-.|
00000020 3c 01 9f e5 9a fd ff eb fc 03 c3 00 0c f3 65 5a
|<.............eZ|
00000030 9b 30 0f f3 0f cf 33 6a 95 9b a5 9a 57 65 6a 6b
|.0....3j....Wejk|

Many bytes change from one fake bad block to another but bytes 0-1 and
0x1E - 0x28 are always the same (1314 .... 2DE93C019FE59AFDFFEB)
In my mind, with Yaffs, a good block will start with FFFFFFFF and a bad
block with 0000000 (followed by 55AA padding).
I really don't understand how something can access to this layer (in my
mind, only Yaffs driver and mtd utils, through ioctls, can write it)

Anyway, I'm still trying to learn how Yaffs use this OOB to check
integrity of all bytes.

Is there any known leak in Yaffs which can cause this ?
Are the "1314" or "2DE9..." meaning something to you ?

Regards, Martin