Table of Contents
Fetching ...

Beyond Visual Safety: Jailbreaking Multimodal Large Language Models for Harmful Image Generation via Semantic-Agnostic Inputs

Mingyu Yu, Lana Liu, Zhehao Zhao, Wei Wang, Sujuan Qin

TL;DR

This work addresses the visual safety vulnerabilities of multimodal LLMs by introducing Beyond Visual Safety (BVS), a jailbreak framework that decouples malicious intent from inputs through semantic neutralization and inductive recomposition. The three-stage pipeline—Visual Guidance Generation, Neutralized Visual Splicing, and a Chinese Inductive Prompt—uses the Multi-Image Distance Optimization Selection (MIDOS) algorithm to assemble semantically diluted inputs that provoke latent harm during inference. The study provides a dedicated benchmark of 110 high-severity prompts and demonstrates that BVS achieves near-perfect jailbreak success on GPT-5 ($\$98.21\%$) and strong performance on Gemini 1.5, significantly outperforming existing image-based jailbreaks. Findings reveal critical, previously hidden vulnerabilities in current visual safety alignments and underscore the need for fine-grained, intent-aware defenses against fragmented semantic attacks in multimodal systems.

Abstract

The rapid advancement of Multimodal Large Language Models (MLLMs) has introduced complex security challenges, particularly at the intersection of textual and visual safety. While existing schemes have explored the security vulnerabilities of MLLMs, the investigation into their visual safety boundaries remains insufficient. In this paper, we propose Beyond Visual Safety (BVS), a novel image-text pair jailbreaking framework specifically designed to probe the visual safety boundaries of MLLMs. BVS employs a "reconstruction-then-generation" strategy, leveraging neutralized visual splicing and inductive recomposition to decouple malicious intent from raw inputs, thereby leading MLLMs to be induced into generating harmful images. Experimental results demonstrate that BVS achieves a remarkable jailbreak success rate of 98.21\% against GPT-5 (12 January 2026 release). Our findings expose critical vulnerabilities in the visual safety alignment of current MLLMs.

Beyond Visual Safety: Jailbreaking Multimodal Large Language Models for Harmful Image Generation via Semantic-Agnostic Inputs

TL;DR

This work addresses the visual safety vulnerabilities of multimodal LLMs by introducing Beyond Visual Safety (BVS), a jailbreak framework that decouples malicious intent from inputs through semantic neutralization and inductive recomposition. The three-stage pipeline—Visual Guidance Generation, Neutralized Visual Splicing, and a Chinese Inductive Prompt—uses the Multi-Image Distance Optimization Selection (MIDOS) algorithm to assemble semantically diluted inputs that provoke latent harm during inference. The study provides a dedicated benchmark of 110 high-severity prompts and demonstrates that BVS achieves near-perfect jailbreak success on GPT-5 (98.21\%$) and strong performance on Gemini 1.5, significantly outperforming existing image-based jailbreaks. Findings reveal critical, previously hidden vulnerabilities in current visual safety alignments and underscore the need for fine-grained, intent-aware defenses against fragmented semantic attacks in multimodal systems.

Abstract

The rapid advancement of Multimodal Large Language Models (MLLMs) has introduced complex security challenges, particularly at the intersection of textual and visual safety. While existing schemes have explored the security vulnerabilities of MLLMs, the investigation into their visual safety boundaries remains insufficient. In this paper, we propose Beyond Visual Safety (BVS), a novel image-text pair jailbreaking framework specifically designed to probe the visual safety boundaries of MLLMs. BVS employs a "reconstruction-then-generation" strategy, leveraging neutralized visual splicing and inductive recomposition to decouple malicious intent from raw inputs, thereby leading MLLMs to be induced into generating harmful images. Experimental results demonstrate that BVS achieves a remarkable jailbreak success rate of 98.21\% against GPT-5 (12 January 2026 release). Our findings expose critical vulnerabilities in the visual safety alignment of current MLLMs.
Paper Structure (26 sections, 1 equation, 5 figures, 2 tables, 1 algorithm)

This paper contains 26 sections, 1 equation, 5 figures, 2 tables, 1 algorithm.

Figures (5)

  • Figure 1: The overall architecture of the BVS framework.
  • Figure 2: Examples of Jailbreak Outputs.
  • Figure 3: Examples of harmful images that MLLMs can generate directly from text prompts without any jailbreaking. These categories (e.g., general violence, illegal activities, discrimination, offensive gestures) are often included in prior datasets but do not require sophisticated jailbreaking to produce.
  • Figure 4: Diversity of generated harmful images from a single inducing image. (a) The inducing image $I_S$ used as input. (b)-(f) Five distinct harmful images generated by GPT-5 over five separate trials, demonstrating varied visual content while maintaining consistent malicious semantics.
  • Figure 5: Example of the Chinese inductive prompt used in the BVS framework. The prompt is designed to guide the MLLM through role-playing and spatial reassembly tasks.