diff --git a/app/Makefile.version b/app/Makefile.version
index c7ab87c4..77eedab5 100644
--- a/app/Makefile.version
+++ b/app/Makefile.version
@@ -3,4 +3,4 @@ APPVERSION_M=2
 # This is the minor version of this release
 APPVERSION_N=4
 # This is the patch version of this release
-APPVERSION_P=8
+APPVERSION_P=9
diff --git a/app/src/candid/nns_parser.c b/app/src/candid/nns_parser.c
index d640c872..bc178a8b 100644
--- a/app/src/candid/nns_parser.c
+++ b/app/src/candid/nns_parser.c
@@ -147,6 +147,9 @@ __Z_INLINE parser_error_t readCommandSpawn(parser_context_t *ctx, candid_transac
         CHECK_PARSER_ERR(readCandidByte(ctx, &has_principal))
         if (has_principal) {
             CHECK_PARSER_ERR(readCandidByte(ctx, &val->command.spawn.new_controller.len))
+            if (val->command.spawn.new_controller.len > DFINITY_PRINCIPAL_LEN) {
+                return parser_unexpected_value;
+            }
             CHECK_PARSER_ERR(readCandidBytes(ctx, val->command.spawn.new_controller.ptr, val->command.spawn.new_controller.len))
         }
     }
diff --git a/app/src/parser_print_helper.c b/app/src/parser_print_helper.c
index a4eede77..3021a436 100644
--- a/app/src/parser_print_helper.c
+++ b/app/src/parser_print_helper.c
@@ -164,10 +164,12 @@ parser_error_t page_principal_with_subaccount(const uint8_t *sender, uint16_t se
     uint16_t principalLen = sizeof(text);
     zxerr_t err = zxerr_unknown;
     err = crypto_principalToTextual(sender, senderLen, text_ptr, &principalLen);
+    // maximum length without separators is 53
     if (err != zxerr_ok || principalLen > 53) {
         return parser_unexpected_error;
     }
-    const uint8_t principalTextLen = (uint8_t)(principalLen + principalLen / 6);
+    // every 5 chars there's a separator, and last block has no separator after it
+    const uint8_t principalTextLen = (uint8_t)(principalLen + principalLen / 5 - (principalLen % 5 ? 0 : 1));
     for (uint8_t i = 5; i < principalTextLen; i += 6) {
         // two blocks separated with dash, 3rd with SEPARATOR
         if ((i + 1) % 18 == 0) err = inplace_insert_char(text_ptr, sizeof(text), i, SEPARATOR); // line break
@@ -176,8 +178,11 @@ parser_error_t page_principal_with_subaccount(const uint8_t *sender, uint16_t se
             return parser_unexpected_error;
         }
     }
-    // we are sure it's going to be up to 63
+    // we are sure it's going to be up to 63 (53 + 10)
     principalLen = (uint16_t)strnlen(text, sizeof(text));
+    if (principalLen > 63) {
+        return parser_unexpected_value;
+    }
     *(text_ptr + principalLen) = '-';
     text_ptr += principalLen + 1;
 
diff --git a/deps/ledger-zxlib b/deps/ledger-zxlib
index b5e1e7d6..52dfdeae 160000
--- a/deps/ledger-zxlib
+++ b/deps/ledger-zxlib
@@ -1 +1 @@
-Subproject commit b5e1e7d6d99153cd42d0cca19c3acd66aed39340
+Subproject commit 52dfdeae81bb0b50cf3332f4690ed5c978f15f27
diff --git a/deps/nanos-secure-sdk b/deps/nanos-secure-sdk
index 12e5f6f8..30189cfd 160000
--- a/deps/nanos-secure-sdk
+++ b/deps/nanos-secure-sdk
@@ -1 +1 @@
-Subproject commit 12e5f6f875bf5deb9464b944f50079aaca1a3b98
+Subproject commit 30189cfd070040e5c144d4dab103d549302dcfff
diff --git a/deps/nanosplus-secure-sdk b/deps/nanosplus-secure-sdk
index 94d7aa34..45ccba9c 160000
--- a/deps/nanosplus-secure-sdk
+++ b/deps/nanosplus-secure-sdk
@@ -1 +1 @@
-Subproject commit 94d7aa340f6393bedd83fe4275497a2898d2273c
+Subproject commit 45ccba9cd72eaae0d1305b9d519d3702fb4e138b
diff --git a/deps/nanox-secure-sdk b/deps/nanox-secure-sdk
index 7b829b70..2d6e2e0d 160000
--- a/deps/nanox-secure-sdk
+++ b/deps/nanox-secure-sdk
@@ -1 +1 @@
-Subproject commit 7b829b7044b8ecdff07bc5d1b61b644e9342e584
+Subproject commit 2d6e2e0d2eda2a09bc79bdf57b6b2e3d708eec1d
diff --git a/deps/stax-secure-sdk b/deps/stax-secure-sdk
index af0acac6..cabc1590 160000
--- a/deps/stax-secure-sdk
+++ b/deps/stax-secure-sdk
@@ -1 +1 @@
-Subproject commit af0acac6afaadbabffe0571d48652406f49dd5a7
+Subproject commit cabc159007c6d257636ce8fb5b779b7b69f78c91
diff --git a/tests_zemu/snapshots/s-mainmenu/00004.png b/tests_zemu/snapshots/s-mainmenu/00004.png
index 13eb5053..572fb5cf 100644
Binary files a/tests_zemu/snapshots/s-mainmenu/00004.png and b/tests_zemu/snapshots/s-mainmenu/00004.png differ
diff --git a/tests_zemu/snapshots/s-mainmenu/00010.png b/tests_zemu/snapshots/s-mainmenu/00010.png
index 13eb5053..572fb5cf 100644
Binary files a/tests_zemu/snapshots/s-mainmenu/00010.png and b/tests_zemu/snapshots/s-mainmenu/00010.png differ
diff --git a/tests_zemu/snapshots/sp-mainmenu/00004.png b/tests_zemu/snapshots/sp-mainmenu/00004.png
index a8d94f47..c8b61779 100644
Binary files a/tests_zemu/snapshots/sp-mainmenu/00004.png and b/tests_zemu/snapshots/sp-mainmenu/00004.png differ
diff --git a/tests_zemu/snapshots/sp-mainmenu/00010.png b/tests_zemu/snapshots/sp-mainmenu/00010.png
index a8d94f47..c8b61779 100644
Binary files a/tests_zemu/snapshots/sp-mainmenu/00010.png and b/tests_zemu/snapshots/sp-mainmenu/00010.png differ
diff --git a/tests_zemu/snapshots/st-mainmenu/00001.png b/tests_zemu/snapshots/st-mainmenu/00001.png
index 782f3818..ddd88b84 100644
Binary files a/tests_zemu/snapshots/st-mainmenu/00001.png and b/tests_zemu/snapshots/st-mainmenu/00001.png differ
diff --git a/tests_zemu/snapshots/x-mainmenu/00004.png b/tests_zemu/snapshots/x-mainmenu/00004.png
index a8d94f47..c8b61779 100644
Binary files a/tests_zemu/snapshots/x-mainmenu/00004.png and b/tests_zemu/snapshots/x-mainmenu/00004.png differ
diff --git a/tests_zemu/snapshots/x-mainmenu/00010.png b/tests_zemu/snapshots/x-mainmenu/00010.png
index a8d94f47..c8b61779 100644
Binary files a/tests_zemu/snapshots/x-mainmenu/00010.png and b/tests_zemu/snapshots/x-mainmenu/00010.png differ