VisCRA: A Visual Chain Reasoning Attack for Jailbreaking Multimodal Large Language Models

TL;DR

VisCRA reveals a critical security vulnerability in Multimodal Large Reasoning Models: stronger visual reasoning can undermine safety protections and enable jailbreaks. It proposes a two-stage Visual Chain Reasoning Attack that first masks harmful regions via Attention-Guided Masking and then uses Multi-Stage Reasoning Induction to infer masked content before executing harmful instructions. Across eleven diverse MLLMs and two major benchmarks, VisCRA substantially outperforms prior jailbreaks, achieving high attack success rates on both open-source and closed-source systems (e.g., up to 76.48% on Gemini 2.0 FT, 66.27% on QvQ-Max, and 56.60% on GPT-4o). The findings underscore the need for reasoning-aware safety mechanisms and robust defenses against reasoning-based attacks in multimodal systems. Overall, the work highlights the double-edged nature of visual reasoning: it boosts capability but also expands the attack surface, with significant implications for deploying trustworthy MLRMs.

Abstract

The emergence of Multimodal Large Language Models (MLRMs) has enabled sophisticated visual reasoning capabilities by integrating reinforcement learning and Chain-of-Thought (CoT) supervision. However, while these enhanced reasoning capabilities improve performance, they also introduce new and underexplored safety risks. In this work, we systematically investigate the security implications of advanced visual reasoning in MLRMs. Our analysis reveals a fundamental trade-off: as visual reasoning improves, models become more vulnerable to jailbreak attacks. Motivated by this critical finding, we introduce VisCRA (Visual Chain Reasoning Attack), a novel jailbreak framework that exploits the visual reasoning chains to bypass safety mechanisms. VisCRA combines targeted visual attention masking with a two-stage reasoning induction strategy to precisely control harmful outputs. Extensive experiments demonstrate VisCRA's significant effectiveness, achieving high attack success rates on leading closed-source MLRMs: 76.48% on Gemini 2.0 Flash Thinking, 68.56% on QvQ-Max, and 56.60% on GPT-4o. Our findings highlight a critical insight: the very capability that empowers MLRMs -- their visual reasoning -- can also serve as an attack vector, posing significant security risks.

Figures (8)

• Figure 1: Attack success rates (ASR) of base MLLMs vs. reasoning-enhanced MLRMs, with and without visual CoT prompting. Enhanced models (e.g., R1-Onevision) exhibit significantly higher vulnerability to HADES attacks compared to their base counterparts (e.g., Qwen2.5-VL), and the inclusion of visual CoT prompting further amplifies ASR across all models.
• Figure 2: Illustration of a visual CoT failure case. An early, overly detailed description of harmful visual content (in red) triggers the model’s safety mechanisms (in green), interrupting the reasoning process.
• Figure 3: Illustration of VisCRA. The framework employs: (1) Attention-Guided Masking of the critical harmful region using an auxiliary model, (2) Multi-Stage Reasoning Induction for the target model to infer masked content and then execute the harmful instruction.
• Figure 4: A failure case on random masking.
• Figure 5: Example on QvQ-Max.