CWE-687: Function Call With Incorrectly Specified Argument Value
The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.
Last updated
Overview
CWE-687 (Function Call With Incorrectly Specified Argument Value) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
2 recorded CVEs are caused by CWE-687 (Function Call With Incorrectly Specified Argument Value). The highest-severity and most recent are shown first.
Common consequences
What can happen when CWE-687 is exploited.
Quality Degradation
Affects: Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Manual Static Analysis
This might require an understanding of intended program behavior or design to determine whether the value is incorrect.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.
Vulnerable example
sub ReportAuth {Terminology & mappings
Mapped taxonomies
- CERT C Secure Coding: Do not perform zero length allocations (MEM04-C)
- Software Fault Patterns: Tainted input to command (SFP24)
Frequently asked questions
Common questions about CWE-687.
- What is CWE-687?
- The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.
- What CVEs are caused by CWE-687?
- 2 recorded CVEs are attributed to CWE-687, including CVE-2024-36985, CVE-2024-49603.
- How is CWE-687 detected?
- Manual Static Analysis: This might require an understanding of intended program behavior or design to determine whether the value is incorrect.
- What are the consequences of CWE-687?
- Exploiting CWE-687 can lead to: Quality Degradation.
- Is CWE-687 actively exploited?
- 2 recorded CVEs are caused by CWE-687; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-687) (opens in a new tab)
- CWE-687 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-687
Get alerted the moment a new CWE-687 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.