The Alignment Curse: Cross-Modality Jailbreak Transfer in Omni-Models
Yupeng Chen, Junchi Yu, Aoxi Liu, Philip Torr, Adel Bibi
TL;DR
This work identifies the alignment curse: strong cross-modality alignment in omni-models can enable textual jailbreak vulnerabilities to transfer to the audio modality. It formalizes a representation-level framework linking input modality and output safety, proving that small KL divergence between text- and audio-induced representations implies similar unsafe outcomes across modalities. Empirically, text-transferred audio attacks via TTS are as effective as, or more effective than, dedicated audio attacks across multiple omni-models and remain potent under audio-only threat models, with strong cross-model transfer observed. The findings underscore a practical safety risk and advocate defenses that explicitly address cross-modality alignment rather than treating modalities in isolation.
Abstract
Recent advances in end-to-end trained omni-models have significantly improved multimodal understanding. At the same time, safety red-teaming has expanded beyond text to encompass audio-based jailbreak attacks. However, an important bridge between textual and audio jailbreaks remains underexplored. In this work, we study the cross-modality transfer of jailbreak attacks from text to audio, motivated by the semantic similarity between the two modalities and the maturity of textual jailbreak methods. We first analyze the connection between modality alignment and cross-modality jailbreak transfer, showing that strong alignment can inadvertently propagate textual vulnerabilities to the audio modality, which we term the alignment curse. Guided by this analysis, we conduct an empirical evaluation of textual jailbreaks, text-transferred audio jailbreaks, and existing audio-based jailbreaks on recent omni-models. Our results show that text-transferred audio jailbreaks perform comparably to, and often better than, audio-based jailbreaks, establishing them as simple yet powerful baselines for future audio red-teaming. We further demonstrate strong cross-model transferability and show that text-transferred audio attacks remain effective even under a stricter audio-only access threat model.
