diff --git a/cpp/ql/src/Critical/ScanfChecks.qll b/cpp/ql/src/Critical/ScanfChecks.qll
index 00c6f482828a..340c52a3b938 100644
--- a/cpp/ql/src/Critical/ScanfChecks.qll
+++ b/cpp/ql/src/Critical/ScanfChecks.qll
@@ -37,7 +37,7 @@ private string getEofValue() {
  */
 private predicate checkedForEof(ScanfFunctionCall call) {
   exists(IRGuardCondition gc |
-    exists(Instruction i | i.getUnconvertedResultExpression() = call |
+    exists(CallInstruction i | i.getUnconvertedResultExpression() = call |
       exists(int val | gc.comparesEq(valueNumber(i).getAUse(), val, _, _) |
         // call == EOF
         val = getEofValue().toInt()