Audio Jailbreak: An Open Comprehensive Benchmark for Jailbreaking Large Audio-Language Models (2026.acl-long)
Copied to clipboard
Zirui Song, Qian Jiang, Mingxuan Cui, Mingzhe Li, Lang Gao, Zeyu Zhang, Zixiang Xu, Yanbo Wang, Guangxian Ouyang, Zhenhao Chen, Xiuying Chen
| Challenge: | a recent study evaluated large audio-language models against jailbreak attacks . a new benchmark is being developed to evaluate LAM safety against jailbreaking attacks based on temporal and semantic nature of speech . |
| Approach: | They propose a benchmark to evaluate LAM jailbreak vulnerabilities in adversarial audio prompts . they use a dataset of 1,495 adversarials to evaluate their performance . |
| Outcome: | The proposed benchmark evaluates state-of-the-art LAMs against jailbreak attacks . it demonstrates that even small, semantically preserved perturbations can reduce safety . |
Similar Papers
Shaping the Safety Boundaries: Understanding and Defending Against Jailbreaks in Large Language Models (2025.acl-long)
Copied to clipboard
| Challenge: | Understanding how jailbreaking works remains limited, hindering the development of effective defense strategies. |
| Approach: | They propose a new mechanism that adaptively constrains activations within the safety boundary and propose 'Activation Boundary Defense' to enhance its effectiveness. |
| Outcome: | The proposed defense achieves an average Defense Success Rate (DSR) of over 98% against various jailbreak attacks, with less than 2% impact on the model’s general capabilities. |
SpeechGuard: Exploring the Adversarial Robustness of Multi-modal Large Language Models (2024.findings-acl)
Copied to clipboard
Raghuveer Peri, Sai Muralidhar Jayanthi, Srikanth Ronanki, Anshu Bhatia, Karel Mundnich, Saket Dingliwal, Nilaksh Das, Zejiang Hou, Goeric Huybrechts, Srikanth Vishnubhotla, Daniel Garcia-Romero, Sundararajan Srinivasan, Kyu Han, Katrin Kirchhoff
| Challenge: | Integrated Speech and Large Language Models (SLMs) that follow speech instructions and generate relevant text responses have gained popularity lately. |
| Approach: | They propose algorithms that can generate adversarial examples to jailbreak SLMs without human involvement. |
| Outcome: | The proposed algorithms achieve state-of-the-art on spoken question-answering task scoring over 80% on both safety and helpfulness metrics. |
Stand on The Shoulders of Giants: Building JailExpert from Previous Attack Experience (2025.emnlp-main)
Copied to clipboard
Xi Wang, Songlei Jian, Shasha Li, Xiaopeng Li, Bin Ji, Ma Jun, Xiaodong Liu, Jing Wang, Jianfeng Zhang, Jie Yu, Feilong Bao, null Wangbaosheng
| Challenge: | Existing methods to generate human-aligned content with a “jailbreak prompt” are inefficient and repetitive, causing inefficiency and a lack of experience. |
| Approach: | They propose a framework that integrates past attack experiences to aid current jailbreak attempts. |
| Outcome: | The proposed framework improves both attack effectiveness and efficiency compared to the current black-box jailbreak method. |
Now You Hear Me: Audio Narrative Attacks Against Large Audio–Language Models (2026.eacl-long)
Copied to clipboard
| Challenge: | Existing jailbreaks against large audio-language models fall into two categories . early work converted text-based prompts into synthetic speech, while subsequent work introduced minor acoustic variations such as accent shifts, phonetic spellings, or stress patterns. |
| Approach: | They propose a text-to-audio jailbreak that embeds disallowed directives within a narrative-style audio stream. |
| Outcome: | The proposed attack exploits structural and acoustic properties of a text-to-audio model . it achieves 98.26% success rate, significantly exceeding baselines for text-based models . |
SoundBreak: A Systematic Study of Audio-Only Adversarial Attacks on Trimodal Models (2026.acl-long)
Copied to clipboard
| Challenge: | Recent advances in multimodal large language models have increased their vulnerability to adversarial manipulation. |
| Approach: | They propose to target audio-only adversarial attacks on multimodal audio–video–language models . they show that attacks can be successful at low perceptual distortions . |
| Outcome: | The proposed models achieve up to 96% success rate under realistic conditions . the proposed models are more robust to noise than to noise and distortion than to speech recognition systems . |
Jailbreaking Attacks vs. Content Safety Filters: How Far Are We in the LLM Safety Arms Race? (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing studies have focused on the models, neglecting the full deployment pipeline . previous studies have underestimated the practical success of these attacks . |
| Approach: | They evaluate the effectiveness of jailbreak attacks targeting LLM safety alignment . they highlight critical gaps and call for further refinement of detection accuracy and usability . |
| Outcome: | The proposed attacks can detect at least one safety filter across the entire deployment pipeline. |
Understanding Jailbreak Success: A Study of Latent Space Dynamics in Large Language Models (2026.eacl-long)
Copied to clipboard
| Challenge: | Emerging jailbreaking techniques can still elicit unsafe outputs, presenting an ongoing challenge for model alignment. |
| Approach: | They propose to extract a jailbreak vector from a single class of jailbreaks that works to mitigate jailbreak effectiveness from other, semantically-dissimilar classes. |
| Outcome: | The proposed jailbreak vectors show that they reduce harmfulness in most models, and that they are similar in geometric and effect similarity. |
SPIRIT: Patching Speech Language Models against Jailbreak Attacks (2025.emnlp-main)
Copied to clipboard
| Challenge: | Speech language models (SLMs) enable natural interactions via spoken instructions, which more effectively capture user intent by detecting nuances in speech. |
| Approach: | They propose post-hoc patching defenses to intervene during inference by modifying the SLM’s activations that improve robustness up to 99% with negligible impact on utility and without any re-training. |
| Outcome: | The proposed defenses improve robustness up to 99% with negligible impact on utility and (ii) without any re-training. |
Iterative Self-Tuning LLMs for Enhanced Jailbreaking Capabilities (2025.naacl-long)
Copied to clipboard
Chung-En Sun, Xiaodong Liu, Weiwei Yang, Tsui-Wei Weng, Hao Cheng, Aidan San, Michel Galley, Jianfeng Gao
| Challenge: | Recent research shows that Large Language Models (LLMs) are vulnerable to automated jailbreak attacks. |
| Approach: | They propose a framework that crafts adversarial LLMs with enhanced jailbreak ability. |
| Outcome: | ADV-LLM significantly reduces the computational cost of generating adversarial suffixes while achieving nearly 100% ASR on various open-source LLMs. |
Jailbreaks as Inference-Time Alignment: A Framework for Understanding Safety Failures in LLMs (2026.eacl-long)
Copied to clipboard
| Challenge: | Large language models are safety-aligned to prevent harmful response generation . prior work on jailbreak effectiveness has focused on analyzing success rate of jailbreaks . |
| Approach: | They propose to frame jailbreaks as inference-time alignment and draw suboptimal bounds . they also propose a Safety-Net to measure how vulnerable an LLM is to jailbreak attacks . |
| Outcome: | a new framework allows researchers to show how vulnerable an LLM is to jailbreaks . a Safety-Net measures how vulnerable the model is to attacks, the authors say . |