Really if the controller is doing any DHCP protection functionalities, it should enforce lease end times. The fact that it doesn't opens some first-hop security holes, though they are tedious to exploit.
I haven't observed the second part of the problem, where the user-table entry prevents the establishment of a new entry for the new owner of the address. I have not gone looking for it, though. I run with all the DHCP enforcement and spoofing protection bells and whistles enabled, have you tried those? Maybe something in them is ameliorating the problem for me.
No question the "victim" clients are also broken. They are supposed to ARP for the address before using it, the controller should respond for the sleeping host, and the "victim" should DHCPNAK for a different address.
But us veterans know waiting for client-side fixes is futile.
Longterm, perhaps a way to hook ARP probes into DHCP-server ping-checks might be manageable; e.g. a proxy ping responder when an ARP response is seen.