1. Home
  2. CWE Database
  3. CWE-686
Variant · Low-Medium

CWE-686: Function Call With Incorrect Argument Type

The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.

CWE-686 · Variant Level

Description

The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.

This weakness is most likely to occur in loosely typed languages, or in strongly typed languages in which the types of variable arguments cannot be enforced at compilation time, or where there is implicit casting.

Potential Impact

Other

Quality Degradation

Detection Methods

  • Other Opportunistic — Because this function call often produces incorrect behavior, it will usually be detected during testing or normal operation of the product.

CWE-628: Function Call with Incorrectly Specified Arguments

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-i...

Taxonomy Mappings

  • CERT C Secure Coding: EXP37-C — Call functions with the correct number and type of arguments
  • CERT C Secure Coding: FIO47-C — Use valid format strings
  • CERT C Secure Coding: POS34-C — Do not call putenv() with a pointer to an automatic variable as the argument
  • CERT C Secure Coding: STR37-C — Arguments to character handling functions must be representable as an unsigned char
  • Software Fault Patterns: SFP1 — Glitch in computation

Frequently Asked Questions

What is CWE-686?

CWE-686 (Function Call With Incorrect Argument Type) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.

How can CWE-686 be exploited?

Attackers can exploit CWE-686 (Function Call With Incorrect Argument Type) to quality degradation. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-686?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-686?

CWE-686 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.