CWE-688: Function Call With Incorrect Variable or Reference as Argument
low-riskThe product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.
Abstraction: Variant
Common Consequences
Other
→
Quality Degradation
Detection Methods
Other
While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect.
Real-World Examples (2)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2021-33713 | 5.5 | 0.1% | — |
| CVE-2026-33549 | 6.7 | 0.0% | — |
0
/ 100
low-risk
Active Threat
0/50 · Minimal
Exploit Availability
0/50 · Minimal