Variant weakness

Draft

CWE-686: Function Call With Incorrect Argument Type

The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.

Last updated May 1, 2026

5

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

This weakness is most likely to occur in loosely typed languages, or in strongly typed languages in which the types of variable arguments cannot be enforced at compilation time, or where there is implicit casting.

Real-world CVEs

5 recorded CVEs are caused by CWE-686 (Function Call With Incorrect Argument Type). The highest-severity and most recent are shown first. 2 new CWE-686 CVEs have been recorded so far in 2026 (1 in 2025).

High · CVSS 7.1 · EPSS 20th

2026-04-09

CVE-2024-32632

Medium · CVSS 6.6 · EPSS 38th

2024-04-16

CVE-2023-5868

Postgresql: memory disclosure in aggregate function calls

Low · CVSS 2.1 · EPSS 86th

2023-12-10

Common consequences

What can happen when CWE-686 is exploited.

Quality Degradation

Affects: Other

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to detect it

Other

Because this function call often produces incorrect behavior, it will usually be detected during testing or normal operation of the product.

Effectiveness: Opportunistic

Terminology & mappings

Mapped taxonomies

CERT C Secure Coding: Call functions with the correct number and type of arguments (EXP37-C) — CWE More Specific fit
CERT C Secure Coding: Use valid format strings (FIO47-C) — Imprecise fit
CERT C Secure Coding: Do not call putenv() with a pointer to an automatic variable as the argument (POS34-C)
CERT C Secure Coding: Arguments to character handling functions must be representable as an unsigned char (STR37-C)
Software Fault Patterns: Glitch in computation (SFP1)

Frequently asked questions

Common questions about CWE-686.

What is CWE-686?

The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.

What CVEs are caused by CWE-686?

5 recorded CVEs are attributed to CWE-686, including CVE-2025-14330, CVE-2026-8389, CVE-2026-33783.

How is CWE-686 detected?

Other: Because this function call often produces incorrect behavior, it will usually be detected during testing or normal operation of the product.

What are the consequences of CWE-686?

Exploiting CWE-686 can lead to: Quality Degradation.

Is CWE-686 actively exploited?

5 recorded CVEs are caused by CWE-686; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-686

Get alerted the moment a new CWE-686 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing