AdvSplat: Adversarial Attacks on Feed-Forward Gaussian Splatting Models

Abstract

3D Gaussian Splatting (3DGS) is increasingly recognized as a powerful paradigm for real-time, high-fidelity 3D reconstruction. However, its per-scene optimization pipeline limits scalability and generalization, and prevents efficient inference. Recently emerged feed-forward 3DGS models address these limitations by enabling fast reconstruction from a few input views after large-scale pretraining, without scene-specific optimization. Despite their advantages and strong potential for commercial deployment, the use of neural networks as the backbone also amplifies the risk of adversarial manipulation. In this paper, we introduce AdvSplat, the first systematic study of adversarial attacks on feed-forward 3DGS. We first employ white-box attacks to reveal fundamental vulnerabilities of this model family. We then develop two improved, practically relevant, query-efficient black-box algorithms that optimize pixel-space perturbations via a frequency-domain parameterization: one based on gradient estimation and the other gradient-free, without requiring any access to model internals. Extensive experiments across multiple datasets demonstrate that AdvSplat can significantly disrupt reconstruction results by injecting imperceptible perturbations into the input images. Our findings surface an overlooked yet urgent problem in this domain, and we hope to draw the community's attention to this emerging security and robustness challenge.

Figures (8)

• Figure 1: White-box attack (here we use PGD attack madry2017towards) results against feed-forward 3DGS model (here we use NoPoSplatye2024no)) on the RE10K dataset. "Ref." denotes two input reference views, and "Novel Views" denote the newly rendered target viewpoints. The first row shows results on clean inputs, while the second row shows results on adversarially perturbed inputs. The rightmost radar chart shows the rendered image quality with clean/attacked inputs, where PSNR is normalized with 30 as the maximum value. As shown, both quantitative and qualitative results consistently indicate that even imperceptible perturbations can severely degrade the reconstruction quality.
• Figure 2: Pipeline of our proposed method, including gradient-based and gradient-free variants. The HTML]BFDCE7blue blocks denote the DCT coefficient maps, the HTML]F9EDE0yellow blocks denote the sampled noise, the HTML]D9E4C2green blocks denote the images after iDCT, and the HTML]C6C4DFpurple blocks denote the rendered images. The black box in the center is the feed-forward 3DGS model with unknown parameters, illustrated by the HTML]D9D9D9gray block. The gray ellipses depict a contour map of the loss function, and the red star indicates the maximum. The red arrow inside the ellipse shows the gradient direction, while the red dashed ellipse indicates the noise sampling region. Finally, the noise sample marked with a red checkmark is the optimal perturbation we seek.
• Figure 3: Qualitative results on RE10K and DL3DV ($\epsilon = 8/255$). The left half shows scenes from RE10K, while the right half shows scenes from DL3DV. DP denotes DepthSplat, NP denotes NoPoSplat, and AP denotes AnySplat. GB denotes the gradient-based variant, and GF denotes the gradient-free variant. For each method and each scene, we select two reference views and render three novel views. All baselines use clean inputs, whereas our method uses the optimized adversarial examples as inputs.
• Figure 4: Visualization of 3D Gaussian point clouds.
• Figure 5: Loss comparison with and without DCT. GB denotes the gradient-based variant, and GF denotes the gradient-free variant.