Tavis Ormandy, a Google security researcher, said via Twitter that the patches seemed "incomplete." Ormandy could not be reached to elaborate, but several security experts said a brief technical comment provided on Twitter raised concerns.
"That means some systems could be exploited even though they are patched," said Chris Wysopal, chief technology officer with security software maker Veracode.
He said corporate security teams had spent the day combing their networks to find vulnerable machines and patch them, and they would likely be taking other precautions to mitigate the potential for attacks in case the patches proved ineffective.
Read More'Heartbleed' bug: Is changing your password enough?
"Everybody is scrambling to patch all of their Internet-facing Linux machines. That is what we did at Veracode today," he said. "It could take a long time to get that done for very large organizations with complex networks."
"Heartbleed," discovered in April, is a bug in an open-source encryption software called OpenSSL. The bug put the data of millions of people at risk as OpenSSL is used in about two-thirds of all websites. It also forced dozens of technology companies to issue security patches for hundreds of products that use OpenSSL.
Bash is a shell, or command prompt software, produced by the non-profit Free Software Foundation. Officials with that group could not be reached for comment.