Overview#Extendable-Output Function (XOF) are Cryptographic Hash Function which can output an arbitrarily large number of random-looking bits.
Where most Cryptographic Hash Functions are fixed length.
Questions on Possible Uses#FIPS 202 Appendix A.2:
"it is possible to use an XOF as a hash function by selecting a fixed output length. However, XOFs have the potential for generating related outputs—a property that designers of security applications/protocols/systems may not expect of hash functions"
"For example, a naïve (and non-approved) way for two parties to agree to derive a 112-bit Triple DES key from a message designated as keymaterial would be to compute SHAKE128(keymaterial, keylength), where keylength is 112. However, if an attacker is able to induce one of the parties to use a different value for keylength, say 168 bits, but the same value for keymaterial"