diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 72d9d8fc9f0de0c6f7be1b6f77320b647067f529..2eea11b2a8404b07ffc8bfac7772c10bf0240d85 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,4 +1,8 @@
 
+Drupal 7.44, 2016-06-15
+-----------------------
+- Fixed security issues (privilege escalation). See SA-CORE-2016-002.
+
 Drupal 7.43, 2016-02-24
 -----------------------
 - Fixed security issues (multiple vulnerabilities). See SA-CORE-2016-001.
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 0428bd362d10bda31955b1030e9b273221815434..aea69a22253aca0310657988f2aa164c6c3a8f30 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.43');
+define('VERSION', '7.44');
 
 /**
  * Core API compatibility.
diff --git a/modules/user/user.module b/modules/user/user.module
index d38de69b1965d4c569e4d251751db56b06b5c5d2..9b00392e326f7576e317ce33d00768180d70a47a 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1162,7 +1162,7 @@ function user_account_form(&$form, &$form_state) {
   $form['account']['roles'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Roles'),
-    '#default_value' => (!$register && isset($account->roles) ? array_keys($account->roles) : array()),
+    '#default_value' => (!$register && !empty($account->roles) ? array_keys(array_filter($account->roles)) : array()),
     '#options' => $roles,
     '#access' => $roles && user_access('administer permissions'),
     DRUPAL_AUTHENTICATED_RID => $checkbox_authenticated,