The sndctlelemadd function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the userctlcount value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRVCTLIOCTLELEM_REPLACE ioctl calls.