The critical vulnerability is buried among endless open source code, and many cyber experts are stumped.