Credit: @robertswiecki
The only ‘critical’ bug in OpenSSL to get a CVSS score of 10. This is a use-after-free bug, triggered pre-auth during the TLS handshake, allowing remote code execution. The bug was introduced by a fix for a previous (low severity) bug, resulting in OpenSSL releasing an emergency update right after their regular update. Most websites use OpenSSL.