Beyond Visual Safety: Jailbreaking Multimodal Large Language Models for Harmful Image Generation via Semantic-Agnostic Inputs
Mingyu Yu, Lana Liu, Zhehao Zhao, Wei Wang, Sujuan Qin
TL;DR
This work addresses the visual safety vulnerabilities of multimodal LLMs by introducing Beyond Visual Safety (BVS), a jailbreak framework that decouples malicious intent from inputs through semantic neutralization and inductive recomposition. The three-stage pipeline—Visual Guidance Generation, Neutralized Visual Splicing, and a Chinese Inductive Prompt—uses the Multi-Image Distance Optimization Selection (MIDOS) algorithm to assemble semantically diluted inputs that provoke latent harm during inference. The study provides a dedicated benchmark of 110 high-severity prompts and demonstrates that BVS achieves near-perfect jailbreak success on GPT-5 ($\$98.21\%$) and strong performance on Gemini 1.5, significantly outperforming existing image-based jailbreaks. Findings reveal critical, previously hidden vulnerabilities in current visual safety alignments and underscore the need for fine-grained, intent-aware defenses against fragmented semantic attacks in multimodal systems.
Abstract
The rapid advancement of Multimodal Large Language Models (MLLMs) has introduced complex security challenges, particularly at the intersection of textual and visual safety. While existing schemes have explored the security vulnerabilities of MLLMs, the investigation into their visual safety boundaries remains insufficient. In this paper, we propose Beyond Visual Safety (BVS), a novel image-text pair jailbreaking framework specifically designed to probe the visual safety boundaries of MLLMs. BVS employs a "reconstruction-then-generation" strategy, leveraging neutralized visual splicing and inductive recomposition to decouple malicious intent from raw inputs, thereby leading MLLMs to be induced into generating harmful images. Experimental results demonstrate that BVS achieves a remarkable jailbreak success rate of 98.21\% against GPT-5 (12 January 2026 release). Our findings expose critical vulnerabilities in the visual safety alignment of current MLLMs.
