diff --git a/README.md b/README.md
index 397436f8..0412b2cc 100644
--- a/README.md
+++ b/README.md
@@ -39,7 +39,7 @@ Wine. All those differences are also documented on the
 Included bug fixes and improvements
 -----------------------------------
 
-**Bug fixes and features included in the next upcoming release [15]:**
+**Bug fixes and features included in the next upcoming release [16]:**
 
 * Add HTTP Host header in HttpSendRequest instead of HttpOpenRequest ([Wine Bug #28911](https://bugs.winehq.org/show_bug.cgi?id=28911))
 * Add IEnumString stub interface for ACLShellSource ([Wine Bug #18019](https://bugs.winehq.org/show_bug.cgi?id=18019))
@@ -51,6 +51,7 @@ Included bug fixes and improvements
 * Create stub files for system32/drivers/etc/{services,hosts,networks,protocol} ([Wine Bug #12076](https://bugs.winehq.org/show_bug.cgi?id=12076))
 * Dirtify vertex shader on transformed update to fix graphical corruption ([Wine Bug #38539](https://bugs.winehq.org/show_bug.cgi?id=38539))
 * Do not create foreign thread queues for attach_thread_input requests ([Wine Bug #38562](https://bugs.winehq.org/show_bug.cgi?id=38562))
+* Free RPC parameters allocated by application before anything else ([Wine Bug #36743](https://bugs.winehq.org/show_bug.cgi?id=36743))
 * Implement kernel32.GetSystemTimePreciseAsFileTime ([Wine Bug #38513](https://bugs.winehq.org/show_bug.cgi?id=38513))
 * Improve ReadDataAvailable handling in FilePipeLocalInformation class
 * Return default palette entries from GetSystemPaletteEntries for non-palette-based devices
diff --git a/debian/changelog b/debian/changelog
index d436b4d3..45855421 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -41,6 +41,8 @@ wine-staging (1.7.43) UNRELEASED; urgency=low
   * Added patch to add HTTP Host header in HttpSendRequest instead of
     HttpOpenRequest.
   * Added various additional fixes for wininet header handling.
+  * Added patch to free RPC parameters allocated by application before anything
+    else.
   * Removed patch to use lockfree implementation for FD cache (accepted
     upstream).
   * Removed patch to properly handle closing sockets during a select call
diff --git a/patches/patchinstall.sh b/patches/patchinstall.sh
index db5a3d58..067dae38 100755
--- a/patches/patchinstall.sh
+++ b/patches/patchinstall.sh
@@ -197,6 +197,7 @@ patch_enable_all ()
 	enable_quartz_MediaSeeking_Positions="$1"
 	enable_regedit_String_Termination="$1"
 	enable_riched20_IText_Interface="$1"
+	enable_rpcrt4_Use_After_Free="$1"
 	enable_secur32_ANSI_NTLM_Credentials="$1"
 	enable_server_ACL_Compat="$1"
 	enable_server_Address_List_Change="$1"
@@ -658,6 +659,9 @@ patch_enable ()
 		riched20-IText_Interface)
 			enable_riched20_IText_Interface="$2"
 			;;
+		rpcrt4-Use_After_Free)
+			enable_rpcrt4_Use_After_Free="$2"
+			;;
 		secur32-ANSI_NTLM_Credentials)
 			enable_secur32_ANSI_NTLM_Credentials="$2"
 			;;
@@ -2515,6 +2519,18 @@ if test "$enable_wined3d_CSMT_Helper" -eq 1; then
 	) >> "$patchlist"
 fi
 
+# Patchset wined3d-resource_check_usage
+# |
+# | Modified files:
+# |   *	dlls/wined3d/resource.c
+# |
+if test "$enable_wined3d_resource_check_usage" -eq 1; then
+	patch_apply wined3d-resource_check_usage/0001-wined3d-Silence-repeated-resource_check_usage-FIXME.patch
+	(
+		echo '+    { "Erich E. Hoover", "wined3d: Silence repeated resource_check_usage FIXME.", 2 },';
+	) >> "$patchlist"
+fi
+
 # Patchset wined3d-wined3d_swapchain_present
 # |
 # | Modified files:
@@ -2603,18 +2619,6 @@ if test "$enable_wined3d_UnhandledBlendFactor" -eq 1; then
 	) >> "$patchlist"
 fi
 
-# Patchset wined3d-resource_check_usage
-# |
-# | Modified files:
-# |   *	dlls/wined3d/resource.c
-# |
-if test "$enable_wined3d_resource_check_usage" -eq 1; then
-	patch_apply wined3d-resource_check_usage/0001-wined3d-Silence-repeated-resource_check_usage-FIXME.patch
-	(
-		echo '+    { "Erich E. Hoover", "wined3d: Silence repeated resource_check_usage FIXME.", 2 },';
-	) >> "$patchlist"
-fi
-
 # Patchset wined3d-CSMT_Main
 # |
 # | This patchset fixes the following Wine bugs:
@@ -4404,6 +4408,21 @@ if test "$enable_riched20_IText_Interface" -eq 1; then
 	) >> "$patchlist"
 fi
 
+# Patchset rpcrt4-Use_After_Free
+# |
+# | This patchset fixes the following Wine bugs:
+# |   *	[#36743] Free RPC parameters allocated by application before anything else
+# |
+# | Modified files:
+# |   *	dlls/rpcrt4/ndr_stubless.c
+# |
+if test "$enable_rpcrt4_Use_After_Free" -eq 1; then
+	patch_apply rpcrt4-Use_After_Free/0001-rpcrt4-Free-parameters-allocated-by-application-befo.patch
+	(
+		echo '+    { "Jérôme Gardou", "rpcrt4: Free parameters allocated by application before anything else.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset secur32-ANSI_NTLM_Credentials
 # |
 # | This patchset fixes the following Wine bugs:
diff --git a/patches/rpcrt4-Use_After_Free/0001-rpcrt4-Free-parameters-allocated-by-application-befo.patch b/patches/rpcrt4-Use_After_Free/0001-rpcrt4-Free-parameters-allocated-by-application-befo.patch
new file mode 100644
index 00000000..6442d6dc
--- /dev/null
+++ b/patches/rpcrt4-Use_After_Free/0001-rpcrt4-Free-parameters-allocated-by-application-befo.patch
@@ -0,0 +1,53 @@
+From 9cfab0a867f609d922ebe3ee2690f1fa7fe96976 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Gardou?= <jerome.gardou@reactos.org>
+Date: Mon, 16 Jun 2014 15:55:01 +0200
+Subject: rpcrt4: Free parameters allocated by application before anything
+ else.
+
+The freer function calculates conformance and variance using values in
+parameters which can be freed earlier in the loop, so it is necessary to
+free those before anything else.
+See http://bugs.winehq.org/show_bug.cgi?id=36743 for details.
+---
+ dlls/rpcrt4/ndr_stubless.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/dlls/rpcrt4/ndr_stubless.c b/dlls/rpcrt4/ndr_stubless.c
+index c9d9930..92bfd9b 100644
+--- a/dlls/rpcrt4/ndr_stubless.c
++++ b/dlls/rpcrt4/ndr_stubless.c
+@@ -1109,6 +1109,18 @@ static LONG_PTR *stub_do_args(MIDL_STUB_MESSAGE *pStubMsg,
+     unsigned int i;
+     LONG_PTR *retval_ptr = NULL;
+ 
++    if (phase == STUBLESS_FREE)
++    {
++        for (i = 0; i < number_of_params; i++)
++        {
++            unsigned char *pArg = pStubMsg->StackTop + params[i].stack_offset;
++            if (params[i].attr.MustFree)
++            {
++                call_freer(pStubMsg, pArg, &params[i]);
++            }
++        }
++    }
++
+     for (i = 0; i < number_of_params; i++)
+     {
+         unsigned char *pArg = pStubMsg->StackTop + params[i].stack_offset;
+@@ -1126,11 +1138,7 @@ static LONG_PTR *stub_do_args(MIDL_STUB_MESSAGE *pStubMsg,
+                 call_marshaller(pStubMsg, pArg, &params[i]);
+             break;
+         case STUBLESS_FREE:
+-            if (params[i].attr.MustFree)
+-            {
+-                call_freer(pStubMsg, pArg, &params[i]);
+-            }
+-            else if (params[i].attr.ServerAllocSize)
++            if (params[i].attr.ServerAllocSize)
+             {
+                 HeapFree(GetProcessHeap(), 0, *(void **)pArg);
+             }
+-- 
+2.4.0
+
diff --git a/patches/rpcrt4-Use_After_Free/definition b/patches/rpcrt4-Use_After_Free/definition
new file mode 100644
index 00000000..60d90168
--- /dev/null
+++ b/patches/rpcrt4-Use_After_Free/definition
@@ -0,0 +1 @@
+Fixes: [36743] Free RPC parameters allocated by application before anything else