diff --git a/ChangeLog b/ChangeLog
index bfc95975..295b9283 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 Changes in 1.4.11-stable:
  o Fix a bug when removing a timeout from the heap. [Patch from Marko Kreen]
  o Remove the limit on size of HTTP headers by removing static buffers.
+ o Fix a nasty dangling pointer bug in epoll.c that could occur after epoll_recalc(). [Patch from Kevin Springborn]
 
 Changes in 1.4.10-stable:
  o clean up buffered http connection data on reset; reported by Brian O'Kelley
diff --git a/epoll.c b/epoll.c
index 39b47f8c..bfb3140e 100644
--- a/epoll.c
+++ b/epoll.c
@@ -224,8 +224,11 @@ epoll_dispatch(struct event_base *base, void *arg, struct timeval *tv)
 	for (i = 0; i < res; i++) {
 		int what = events[i].events;
 		struct event *evread = NULL, *evwrite = NULL;
+		int fd = events[i].data.fd;
 
-		evep = (struct evepoll *)events[i].data.ptr;
+		if (fd < 0 && fd >= epollop->nfds)
+			continue;
+		evep = &epollop->fds[fd];
 
 		if (what & (EPOLLHUP|EPOLLERR)) {
 			evread = evep->evread;
@@ -287,7 +290,7 @@ epoll_add(void *arg, struct event *ev)
 	if (ev->ev_events & EV_WRITE)
 		events |= EPOLLOUT;
 
-	epev.data.ptr = evep;
+	epev.data.fd = fd;
 	epev.events = events;
 	if (epoll_ctl(epollop->epfd, op, ev->ev_fd, &epev) == -1)
 			return (-1);
@@ -339,7 +342,7 @@ epoll_del(void *arg, struct event *ev)
 	}
 
 	epev.events = events;
-	epev.data.ptr = evep;
+	epev.data.fd = fd;
 
 	if (needreaddelete)
 		evep->evread = NULL;