diff --git a/sys/dev/sound/pcm/sndstat.c b/sys/dev/sound/pcm/sndstat.c
--- a/sys/dev/sound/pcm/sndstat.c
+++ b/sys/dev/sound/pcm/sndstat.c
@@ -864,6 +864,11 @@
 		goto done;
 	}
 
+	if (arg->nbytes > SNDST_UNVLBUF_MAX) {
+		err = ENOMEM;
+		goto done;
+	}
+
 	err = sndstat_unpack_user_nvlbuf(arg->buf, arg->nbytes, &nvl);
 	if (err != 0)
 		goto done;
diff --git a/sys/sys/sndstat.h b/sys/sys/sndstat.h
--- a/sys/sys/sndstat.h
+++ b/sys/sys/sndstat.h
@@ -74,6 +74,11 @@
 #define SNDST_DSPS_SOUND4_PVCHAN	"pvchan"
 #define SNDST_DSPS_SOUND4_RVCHAN	"rvchan"
 
+/*
+ * Maximum user-specified nvlist buffer size
+ */
+#define SNDST_UNVLBUF_MAX		65535
+
 #define SNDSTIOC_REFRESH_DEVS \
 	_IO('D', 100)
 #define SNDSTIOC_GET_DEVS \