Papers
Topics
Authors
Recent
Search
2000 character limit reached

Cross-Modal Jailbreaking in Multimodal Models

Updated 4 July 2026
  • Cross-modal jailbreaking is an adversarial attack on multimodal systems where harmful intent is covertly encoded across different modalities.
  • It exploits vulnerabilities in latent fusion and cross-modal consistency, allowing benign inputs to recombine into harmful outputs.
  • Recent research reveals its high efficacy across vision-language, audio-language, and generative systems, challenging existing safety measures.

Cross-modal jailbreaking is a class of adversarial attacks on multimodal models in which harmful intent is encoded, concealed, fragmented, or transferred across modalities so that no single channel necessarily appears overtly unsafe, yet the fused system produces policy-violating output. In vision-LLMs, audio-LLMs, omni-models, and multimodal generative systems, the attack surface expands beyond plain-text prompting to include latent fusion dynamics, image-text reasoning, audio-to-text transfer, steganographic concealment, and multimodal compositional inference. The literature describes both explicit attacks, such as typographic visual prompts, and more implicit attacks in which benign-looking textual and visual primitives are recomposed into harmful semantics only during inference (Song et al., 26 May 2025, Wang et al., 22 May 2025, Wang et al., 1 Jun 2026).

1. Scope, threat models, and conceptual framing

Several formulations of cross-modal jailbreaking treat multimodal safety as a property of the joint input space rather than of any single modality. In this view, an attacker does not merely bypass a text filter; the attacker exploits the model’s multimodal fusion, cross-modal consistency mechanisms, or shared representation space to induce unsafe behavior. The DSR paper makes this distinction explicit by contrasting ordinary explicit harmful inputs, called Harm-Bearing, with attacks in which harmful semantics emerge only after the model fuses multiple benign components (Wang et al., 1 Jun 2026).

The dominant threat model is black-box query access. IJA assumes no access to model weights, architecture, or training data, with the attacker supplying one image and one text prompt and observing only outputs; CAMO, VEIL, PolyJailbreak, and the alignment-curse study adopt comparable black-box settings for LVLMs, T2V systems, and omni-models (Wang et al., 22 May 2025, Jiang et al., 20 Jun 2025, Ying et al., 17 Nov 2025, Wang et al., 20 Oct 2025, Chen et al., 30 Jan 2026). White-box settings remain important for mechanism studies: JailBound explicitly decomposes a VLM as

Fθ=(fv,ft,ϕ),F_\theta = (f_v, f_t, \phi),

where fvf_v encodes the image, ftf_t encodes the text, and Ï•\phi is the multimodal fusion module, then treats jailbreak as movement across an implicit safety decision boundary in fusion-layer latent space (Song et al., 26 May 2025).

A recurring misconception is that cross-modal jailbreaking is reducible to rendering harmful text inside an image. The literature is broader. It includes latent-space boundary attacks, least significant bit steganography, distributed semantic recomposition, acoustic perturbation, text-to-audio transfer, and coordinated multimodal attacks on image-to-video and text-to-video generation systems (Song et al., 26 May 2025, Wang et al., 22 May 2025, Roh et al., 1 Apr 2025, Chen et al., 30 Jan 2026, Wang et al., 7 Dec 2025, Ying et al., 17 Nov 2025).

2. Evolution of attack paradigms

The research trajectory moves from explicit modality transfer toward attacks that exploit internal multimodal reasoning more directly. Early and broad attacks include typographic image prompts, tri-modal camouflage, optimization-based adversarial images, and Best-of-N sampling over modality-specific augmentations. Later work increasingly targets latent fusion geometry, distributed semantics, scenario nesting, steganographic concealment, and multimodal reasoning pipelines (Mao et al., 2024, Chen et al., 2024, Hughes et al., 2024, Song et al., 26 May 2025, Yan et al., 9 Feb 2026).

Paradigm Representative methods Core operation
Explicit multimodal encoding FigStep, JMLLM, vision BoN Render or transform harmful content into image or audio form
Optimization-driven attacks Zer0-Jack, JailBound Optimize image or joint image-text perturbations against model behavior
Implicit concealment IJA, Odysseus Hide malicious query or response inside benign-looking images
Distributed recomposition CAMO, DSR, COMET Split harmful semantics across benign fragments and force multimodal reconstruction
Cross-modality transfer Multi-AudioJail, alignment curse Transfer adversarial semantics from text to audio or exploit weak modalities
Generative-system attacks VEIL, RunawayEvil Steer T2V or I2V generation via multimodal prompt or image-text coordination

This progression reflects a shift in what is being attacked. Earlier work frequently targeted visible prompt surfaces, whereas more recent work targets the model’s own cross-modal reasoning competence. This suggests that stronger multimodal utility can enlarge the effective attack space when safety supervision does not constrain the internal composition process as strongly as it constrains surface text.

3. Mechanistic foundations in vision-LLMs

A major line of work models jailbreaking as manipulation of fused internal representations. JailBound argues that VLMs encode safety-relevant information in fusion-layer hidden states and that these states admit an implicit safety hyperplane. For clean inputs,

h=Ï•(xv,xt),h = \phi(x_v, x_t),

and for adversarial inputs,

h~=Ï•(x~v,x~t).\tilde h = \phi(\tilde x_v, \tilde x_t).

The paper approximates a boundary at layer ll with a linear probe

Pm(xv,xt)=σ(w⊤ϕ(xv,xt)+b),P_m(x_v,x_t)=\sigma(w^\top \phi(x_v,x_t)+b),

yielding a hyperplane

B(l)(w,b)={h(l)∈RD∣(w(l))⊤h(l)+b(l)=0}.\mathcal{B}^{(l)}(w,b)=\{h^{(l)}\in\mathbb{R}^D \mid (w^{(l)})^\top h^{(l)} + b^{(l)}=0\}.

The attack then jointly optimizes image perturbations and a learned text suffix toward a target point shifted across that boundary, using an alignment loss, a semantic preservation term, and a geometric boundary loss (Song et al., 26 May 2025).

A second line of work focuses on concealment rather than latent probing. IJA hides the combined string Q⊕sQ \oplus s inside an image by overwriting the least significant bit of each pixel,

fvf_v0

and pairs the steganographic image with a benign-looking extraction-style prompt. It supplements this with a GCG-style suffix and an iterative template-optimization loop that refines the prompt based on model feedback (Wang et al., 22 May 2025). Odysseus generalizes this logic to dual steganography: the malicious query is embedded into input images, and the harmful answer is returned hidden in another benign-looking image, allowing both input and output filters to observe only encoded artifacts rather than explicit unsafe semantics (Li et al., 23 Dec 2025).

A third line distributes the semantics of a harmful request across benign components. CAMO selects target keywords from a harmful prompt, masks them in the text, encodes character-level clues into an image, and forces the model to recover the word through a reasoning chain:

fvf_v1

Its difficulty is controlled by a word masking ratio fvf_v2 and character masking ratio fvf_v3, making reasoning complexity a tunable attack variable (Jiang et al., 20 Jun 2025). DSR instead decomposes harmful intent into Role, Scene, and Sensitive primitives,

fvf_v4

with each primitive constrained to be benign under the input-stage evaluator, then renders them into separate harmless images whose joint interpretation yields harmful output (Wang et al., 1 Jun 2026). COMET extends this approach with knowledge-scalable reframing, cross-modal clue entangling, and cross-modal scenario nesting, so that harmful meaning emerges from multi-hop reconstruction and a fake evaluation context rather than from explicit content in either modality (Yan et al., 9 Feb 2026).

These mechanistic families differ in where they locate the vulnerability. JailBound places it in latent geometry, IJA and Odysseus in hidden channels that evade visible-content filtering, and CAMO, DSR, and COMET in cross-modal reasoning and recomposition. Taken together, they imply that multimodal safety failures can arise from either the representation space itself or the model’s ability to infer global intent from individually safe local clues.

4. Audio, omni-model, and generative-system variants

Cross-modal jailbreaking is not confined to image-text models. In large audio-LLMs and omni-models, attacks exploit the mismatch between safety alignment in text and safety behavior in audio. Multi-AudioJail constructs multilingual, natural multi-accent, and synthetic multi-accent audio from 520 harmful instructions, expands them with three reverberation variants, echo, and whisper, and reports a benchmark of 102,720 audio jailbreaking prompts. It defines Jailbreak Success Rate as

fvf_v5

The paper reports that multilingual audio-only attacks are 3.1x more successful than text-only attacks on average, and that perturbations can increase JSR by up to +57.25 percentage points, including a reverberated Kenyan-accented attack on MERaLiON reaching 61.25% JSR (Roh et al., 1 Apr 2025).

The alignment-curse framework studies text-to-audio transfer in end-to-end omni-models. Its theoretical claim is that if semantically equivalent text and audio induce nearby internal representations, then harmful behavior should transfer across modalities. Formally, if

fvf_v6

then for any measurable behavior set fvf_v7,

fvf_v8

Empirically, text-transferred audio jailbreaks such as PAP (A) and AutoDAN-Turbo (A) perform comparably to, and often better than, dedicated audio attacks, with PAP (A) reaching average SR 0.70 across evaluated omni-models (Chen et al., 30 Jan 2026).

Best-of-N jailbreaking shows that stochastic multimodal sampling alone can be an effective black-box strategy. In vision, with fvf_v9, BoN image attacks achieve 56% ASR on GPT-4o and 67% ASR on GPT-4o-mini; in audio, the same framework reaches 71% ASR on GPT-4o Realtime API and 59% on Gemini 1.5 Pro (Hughes et al., 2024). The later cost-aware LALM study reframes audio jailbreaks by semantic, acoustic, signal, and embedding layer, and shows that Acoustic BoN exposes the strongest worst-case audio-space vulnerability, though at high latency (Feng et al., 28 May 2026).

Cross-modal jailbreaking also extends to multimodal generative systems. VEIL targets text-to-video models through a modular prompt grammar of neutral scene anchors, latent auditory triggers, and stylistic modulators, formalized as a constrained optimization over prompt space, and reports a 23 percent improvement in average attack success rate in commercial models (Ying et al., 17 Nov 2025). RunawayEvil attacks image-to-video generation with a Strategy-Tactic-Action architecture that coordinates text jailbreak prompts and image tampering, reporting 87.6% average ASR on COCO2017 and roughly 88%–96% ASR on MM-SafetyBench depending on model and evaluator (Wang et al., 7 Dec 2025).

5. Evaluation practices and empirical landscape

Attack evaluation is heterogeneous, but several metrics recur. ASR is standard in VLM and generative-system work; some studies supplement it with harmfulness scales, StrongReject scores, semantic preservation, toxicity, bypass rate, or query cost. CIDER defines both DSR and ASR and evaluates harmfulness using a HarmBench-based classifier (Xu et al., 2024). SafeMLRM separates Result Safety, Overall Safety, and Reasoning Safety, using Harmfulness Rating on a 0–5 scale and treating HR = 4 or 5 as successful jailbreak (Fang et al., 9 Apr 2025). CrossTALK reports both ASR and Harmfulness Score, averaged over five attempts (Yan et al., 9 Feb 2026). The cost-aware audio study argues that ASR alone is insufficient and explicitly adds Benign Refusal Rate and latency (Feng et al., 28 May 2026).

The empirical results show that cross-modal jailbreaks are often highly effective even against commercial models. JailBound reports 94.32% average white-box ASR and 67.28% average black-box ASR, exceeding prior multimodal jailbreak methods by 6.17% and 21.13%, respectively (Song et al., 26 May 2025). IJA reports ASRs of 91.20% on GPT-4o and 95.07% on Gemini-1.5-Pro on HADES with an average of only 2.11 queries and 97.69% bypass rate (Wang et al., 22 May 2025). CAMO reaches 81.82% ASR on hack_information for GPT-4.1-nano and 96.97% on the same category for Qwen2-VL-72B-Instruct, while reporting 100% evasion against three tested defense types (Jiang et al., 20 Jun 2025). PolyJailbreak reports average ASR 83.34% and average HS 3.976 across eight MLLMs, with 97.5% ASR on GPT-4o and 97.25% on Gemini-2.5-Flash (Wang et al., 20 Oct 2025). COMET reports over 94% ASR across advanced VLMs and a 29% improvement over the best baseline (Yan et al., 9 Feb 2026). Odysseus reports average ASR 78% across evaluated commercial systems and datasets, with individual results up to 99% ASR (Li et al., 23 Dec 2025).

The evidence also indicates that reasoning-augmented multimodal models are not automatically safer. SafeMLRM reports a Reasoning Tax: MLRMs exhibit 37.44% higher jailbreaking success rates than base MLLMs under adversarial attacks, with certain Illegal Activity settings showing nearly 25× degradation and only partial mitigation through emergent self-correction at 16.9% or 16.23% (Fang et al., 9 Apr 2025). This suggests that stronger multimodal reasoning can couple utility gains to larger jailbreak surfaces unless safety alignment scales with the reasoning pathway itself.

6. Defense strategies, tradeoffs, and unresolved issues

Defenses fall into three broad classes: pre-detection, generation-stage control, and training or alignment interventions. CIDER is a plug-and-play pre-detection module that measures the drop in cosine similarity between a harmful text query and an image before and after denoising,

ftf_t0

and flags the input if ftf_t1 for any denoising step. It reaches 79.69% DSR overall, reduces ASR from 60% to 0% on LLaVA-v1.5-7B, and achieves 93.87% DSR against ImgJP, but also causes about a 30% overall performance decline on MM-Vet (Xu et al., 2024).

Recent attack papers repeatedly argue that isolated filtering of text and images is inadequate. DSR states that current guardrails lack an oracle for latent joint semantics and are therefore vulnerable to benign fragments that become harmful only in combination (Wang et al., 1 Jun 2026). CAMO shows that a prompt can remain fluent enough to pass a perplexity filter, contain only benign OCR-visible fragments, and still reconstruct a harmful instruction under joint multimodal reasoning (Jiang et al., 20 Jun 2025). VEIL shows that text-only preprocessing defenses can miss prompts whose harmfulness materializes only in the generated video via latent audiovisual associations (Ying et al., 17 Nov 2025). Odysseus extends this critique to integrated commercial systems, arguing that filters assume malicious content must be explicitly visible at input or output checkpoints (Li et al., 23 Dec 2025).

The defense literature also documents a robustness–utility tradeoff. In the audio setting, VoiceShield Guard reduces average attack success from 0.245 to 0.165 but increases BRR from 0.171 to 0.307, while a Defensive Prompt reduces attack average to 0.064 at the cost of BRR 0.461 (Feng et al., 28 May 2026). The general survey on LLMs and VLMs proposes a three-layer defense principle—variant-consistency and gradient-sensitivity detection at the perception layer, safety-aware decoding and output review at the generation layer, and adversarially augmented preference alignment at the parameter layer—and emphasizes cross-modal collaborative defense and standardized evaluation as future directions (Chen et al., 7 Jan 2026).

A final controversy concerns whether multimodal alignment itself mitigates or amplifies jailbreak risk. The alignment-curse study argues that strong text-audio alignment can propagate textual vulnerabilities into audio (Chen et al., 30 Jan 2026), while JailBound and PolyJailbreak argue that multimodal fusion can reshape or collapse harmful/benign separability in latent space (Song et al., 26 May 2025, Wang et al., 20 Oct 2025). This suggests that better alignment is not uniformly protective; without modality-aware safety objectives, stronger shared representations may improve both helpful multimodal reasoning and adversarial transfer.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (18)
12.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Cross-Modal Jailbreaking.