Catastrophic Overfitting Regimes

• Catastrophic overfitting regimes are defined by abrupt and severe drops in adversarial robustness despite nearly perfect training performance.
• They emerge from factors like loss surface curvature, shortcut learning, and gradient misalignment in overparameterized models.
• Researchers employ diagnostic tools and adaptive regularization strategies to mitigate the transition from benign to catastrophic overfitting.

Catastrophic overfitting refers to distinct regimes in which an interpolating or robustly trained model—particularly in the context of adversarially-trained neural networks and other high-capacity models—abruptly and severely loses its generalization or adversarial robustness, despite performing well on the training objective. These regimes are characterized by sharp changes in test risk or robustness, often triggered by subtle shifts in regularization, optimization, norm selection, network architecture, or data structure. Catastrophic overfitting stands in contrast to benign and tempered overfitting, where models either maintain near-optimal test performance or degrade gracefully. Its paper has led to a nuanced taxonomy of overfitting behaviors and inspired a range of diagnostic tools, theoretical frameworks, and mitigation strategies.

1. Defining Catastrophic Overfitting Regimes

Catastrophic overfitting (CO) is most prominently observed in overparameterized models, neural networks trained for robustness, and kernel methods under interpolation. In adversarial training, CO manifests as a sudden, near-complete collapse in robust test accuracy under stronger, multi-step attacks (e.g., PGD) while robust accuracy against the weaker, single-step attacks used in training (e.g., FGSM) remains misleadingly high (Kim et al., 2020, Kang et al., 2021, Lin et al., 2023). In classical interpolating estimators, catastrophic overfitting is defined as the property that, even as the training error is held at zero and the label noise probability $p \rightarrow 0$, the test (clean) error remains bounded below by a nonzero constant (independent of $p$) (Barzilai et al., 11 Feb 2025).

Key symptoms of catastrophic overfitting include:

• Abrupt, nonrecoverable drops in adversarial accuracy or test performance.
• Highly curved or distorted loss surfaces and decision boundaries.
• Model behavior dominated by “shortcut” features, self-information, or over-confident memorization.
• Inability to recover robustness or generalization via extended training.

CO is sharply distinguished from benign overfitting (test error or robust accuracy plateauing at optimal levels) and tempered overfitting (finite, noise-dependent excess risk), and often arises due to interactions between model capacity, initialization, optimization strategy, data distribution, and norm constraints (Mallinar et al., 2022, Barzilai et al., 11 Feb 2025, Li et al., 1 Oct 2025).

2. Mechanisms Underlying Catastrophic Overfitting

Multiple complementary mechanisms have been identified as responsible for catastrophic overfitting across different settings:

2.1. Projection and Fixed Points in Norm-Bounded Attacks

Catastrophic overfitting in fast adversarial training (e.g., FGSM) is intrinsically linked to the properties of the $l^p$ norm constraint used to define adversarial examples (Mehouachi et al., 5 May 2025). Under the $l^\infty$ norm, perturbations are highly localized to a few input dimensions—a scenario that, combined with concentrated input gradients, increases the risk of CO. When the gradient vector is concentrated in a small number of coordinates (as measured by a low Participation Ratio or entropy gap), standard fixed-point iterations to generate adversarial examples fail to effectively cover the threat region, leading to local linearity breakdown and decision boundary distortion.

2.2. Loss Surface Curvature and Local Linearity

Single-step adversarial training methods (e.g., FGSM) operate effectively only when the loss function is locally linear in the input space (Kim et al., 2020, Sivashankar et al., 2021, Rocamora et al., 21 Jan 2024). With the onset of CO, the loss surface becomes highly curved, violating the linear approximation $$\ell(x+\delta) - \ell(x) \approx \epsilon \|\nabla_x\ell\|_1$$. In this regime, the model’s gradient direction changes rapidly even within a small neighborhood, so single-step adversarial examples probe a vanishingly small subset of the worst-case perturbations.

2.3. Shortcut Learning and Feature Dominance

CO is often accompanied by the emergence of shortcut dependencies—pseudo-robust features that allow the network to defend against the exact adversarial direction used in training while neglecting broader robustness (Ortiz-Jiménez et al., 2022, Lin et al., 25 May 2024, He et al., 2023). In this process, early network layers (the “former” layers) become disproportionately distorted, as seen by increases in the singular values of their weights and sharp loss landscape transitions. The network learns to “shortcut” general robust features in favor of easy-to-learn but fragile cues, which are insufficient for defending against more general adversarial threats.

2.4. Memorization and Self-Information

CO regimes are characterized by the network’s over-memorization of specific high-confidence patterns (Lin et al., 2023). In adversarial training, this manifests as “self-fitting,” in which the network models the self-information embedded in its own adversarial perturbations (He et al., 2023). When this occurs, a few convolution channels or pathways dominate, encoding the adversarial pattern at the expense of true data features. Such over-memorization is both the cause and consequence of CO: as memorization intensifies (as detected by abrupt loss drops and low-loss examples in training), the network’s generalization and robustness collapse.

2.5. Data Structure and Hyperparameter Transitions

In classical kernel and interpolating estimators (e.g., Nadaraya–Watson), catastrophic overfitting arises when the effective weighting of training samples becomes too “global” (e.g., bandwidth or kernel parameter $\beta < d$, with $d$ intrinsic dimension) (Barzilai et al., 11 Feb 2025). Here, any noise or mislabeling in the dataset can cause persistent misclassification over a nonzero measure of the input space, elucidating the dimension-dependent non-monotonic transitions between benign, tempered, and catastrophic overfitting.

3. Mathematical and Theoretical Characterizations

Catastrophic overfitting regimes are often formalized using precise mathematical criteria:

• Min–max loss and local linearity breakdown: In adversarial training, CO is characterized by the failure of the loss linearization $$\ell(x+\delta)-\ell(x)\approx\epsilon\lVert\nabla_x\ell\rVert_1$$, the appearance of high curvature (as quantified by the Hessian’s top eigenvalues), and almost orthogonal gradients at nearby points.
• Distortion measure in adversarial directions: Let $d=|S_D \cap S_N| / |S_N|$ denote the fraction of examples for which a scaled adversarial perturbation leads to misclassification, even when both the original and full-magnitude adversarial are correctly classified. CO is identified by a sharp jump in $d$ (Kim et al., 2020).
• Participation Ratio and Entropy: Gradient concentration is measured by the Participation Ratio $$\mathrm{PR}_1 = (\|\nabla_x\ell\|_1/\|\nabla_x\ell\|_2)^2$$ and entropy gap $\Delta H = H_m - H$, which increase the risk of CO when they are small (Mehouachi et al., 5 May 2025).
• Phase transitions in interpolating regressors: For Nadaraya–Watson or spiked regression, the clean classification/test error $L(h_\beta)$ is bounded below by a positive constant independent of label noise $p$ whenever bandwidth $\beta < d$ (Barzilai et al., 11 Feb 2025), or when spike strength and target alignment cross a regime-specific threshold (Li et al., 1 Oct 2025).

4. Diagnostic Tools and Regime Taxonomy

The modern taxonomy of overfitting distinguishes between:

• Benign overfitting: Perfect data interpolation without adversarial or test loss elevation (e.g., NTK and kernel methods with well-chosen spectra, bandwidth matched to data dimension) (Mallinar et al., 2022, Barzilai et al., 11 Feb 2025, Li et al., 1 Oct 2025).
• Tempered overfitting: Test or robust error plateaus at a finite level above irreducible risk, typically scaling with label noise or model misspecification.
• Catastrophic overfitting: Divergent or abruptly discontinuous risk, sudden breakdown under adversarial or misspecified test conditions, or persistent error independent of noise level.

In adversarial settings, CO is typically diagnosed by:

• A near-zero robust accuracy under multi-step attacks (but not single-step);
• Exploding loss curvature measures;
• Abrupt phase transition in gradient alignment or feature activation statistics;
• Distorted decision boundaries visualized by solution trajectories in adversarial directions.

For interpolating estimators, thresholds in bandwidth or scaling parameter separate benign, tempered, and catastrophic regions. Specifically, in Nadaraya–Watson, models with $\beta<d$ are categorically catastrophic, $\beta=d$ are benign, and $\beta>d$ are tempered (Barzilai et al., 11 Feb 2025).

5. Mitigation and Control

Mitigating CO requires interventions tailored to the mechanism:

• Dynamic perturbation scaling: Search for the minimal effective adversarial step $k^*\in[0,1]$ along the adversarial direction per instance, rather than always using the maximal allowed step (Kim et al., 2020, Kang et al., 2021).
• Regularization of loss curvature: Penalize the deviation from local linearity (e.g., via GradAlign, LLR, or ELLE), which enforces alignment of gradients at perturbed points and suppresses loss surface curvature (Rocamora et al., 21 Jan 2024, Sivashankar et al., 2021).
• Channel and layer-level interventions: Suppress shortcut learning and pseudo-robust features by differentiating and regularizing the network’s pathways, specifically targeting early layers prone to distortion (He et al., 2023, Lin et al., 25 May 2024).
• Adaptive training norm: Continuously tune the $l^p$-norm during adversarial training (adaptive $l^p$-FGSM), using statistics such as the gradient Participation Ratio and entropy gap to avoid regimes likely to cause CO (Mehouachi et al., 5 May 2025).
• Removal or augmentation of over-memorized patterns: The Distraction Over-Memorization (DOM) framework adapts training by either removing or heavily augmenting high-confidence samples, preventing memorization-driven overfitting (Lin et al., 2023).
• Regularization of abnormal adversarial example dynamics: Penalize the emergence of adversarial examples whose loss does not increase as expected (Abnormal Adversarial Examples Regularization, AAER), directly constraining the network away from distorted regimes (Lin et al., 11 Apr 2024).
• Exploiting CO: Under specific circumstances, intentionally inducing CO and applying random noise at evaluation time can improve robustness via attack obfuscation (Zhao et al., 28 Feb 2024).

6. Broader Implications and Theoretical Insights

Catastrophic overfitting has profound implications for the design and interpretation of interpolating models, robust optimization procedures, and neural architectures:

• Regime transitions are non-monotonic: In interpolating spiked regression (Li et al., 1 Oct 2025) and kernel methods (Barzilai et al., 11 Feb 2025), benign, tempered, and catastrophic overfitting arise non-monotonically as a function of alignment, regularization, and noise. Surprisingly, increasing spike alignment or signal strength can first lead to catastrophic overfitting before eventually restoring benign behavior.
• Not all alignment is beneficial: Alignment of the target function with dominant data directions (spikes, principal eigenvectors) can be either beneficial or detrimental depending on parameter regimes, even in nonlinear models (Li et al., 1 Oct 2025).
• Intrinsic versus ambient dimension tuning: In classic methods, overestimating intrinsic data dimension in kernel bandwidth selection yields tempered risk, whereas underestimation almost always induces catastrophic overfitting (Barzilai et al., 11 Feb 2025).
• Computational and architectural trade-offs: While double backpropagation and multi-step adversarial training are computationally expensive, efficient regularizers (such as ELLE or ZeroGrad) or adaptive norm control can mitigate CO at low overhead (Golgooni et al., 2021, Rocamora et al., 21 Jan 2024, Mehouachi et al., 5 May 2025).
• Generality across domains: Although most empirical and theoretical results are rooted in computer vision and supervised learning, analogous overfitting phase transitions can be expected in a variety of overparameterized, interpolating, or robust training settings as functions of data structure, training objectives, or optimization strategies.

7. Directions for Research and Open Problems

Key areas for ongoing and future research include:

• Improved understanding of the connection between loss landscape geometry, shortcut learning, and generalization error phase transitions across architectures and data domains.
• Adaptive mechanisms for regularization or adversarial norm choice that generalize across tasks and threat models.
• Development of diagnostic tools for early detection or recovery from catastrophic overfitting during training.
• Theoretical extension of regime taxonomy to a broader class of interpolating and robust methods, including those with nontrivial data geometry, non-i.i.d. distributions, or complex architectures.
• Investigation of exploitative or obfuscatory uses of CO (e.g., noise-based defense), while balancing risk of spurious generalization failures.

---

Catastrophic overfitting regimes represent critical phase transitions in overparameterized learning, fundamentally shaped by the interplay between model capacity, optimization, data geometry, and regularization. Their precise mathematical analysis, mechanistic insight, and algorithmic mitigation inform both the theoretical and practical frontiers of robust and generalizable machine learning systems.