Beyond Visual Safety: Jailbreaking Multimodal Large Language Models for Harmful Image Generation via Semantic-Agnostic Inputs

The rapid advancement of Multimodal Large Language Models (MLLMs) has introduced complex security challenges, particularly at the intersection of textual and visual safety. While existing schemes have explored the security vulnerabilities of MLLMs, the investigation into their visual safety boundaries remains insufficient. In this paper, we propose Beyond Visual Safety (BVS), a novel image-text pair jailbreaking framework specifically designed to probe the visual safety boundaries of MLLMs. BVS employs a “reconstruction-then-generation” strategy, leveraging neutralized visual splicing and inductive recomposition to decouple malicious intent from raw inputs, thereby leading MLLMs to be induced into generating harmful images. Experimental results demonstrate that BVS achieves a remarkable jailbreak success rate of 98.21% against GPT-5 (12 January 2026 release). Our findings expose critical vulnerabilities in the visual safety alignment of current MLLMs.

💡 Research Summary

The paper introduces “Beyond Visual Safety” (BVS), a novel image‑text pair jailbreak framework that probes the visual safety boundaries of Multimodal Large Language Models (MLLMs). While prior work has largely focused on textual jailbreaks, the authors argue that MLLMs also enforce safety on visual inputs, and that these visual defenses have not been thoroughly examined.

BVS follows a three‑stage “reconstruction‑then‑generation” pipeline. First, a malicious textual prompt is fed into a text‑to‑image model (CogView4‑6B) to produce a malicious inductive image I_A that directly encodes the harmful intent. This image alone is readily blocked by existing safety filters. Second, I_A is partitioned into four equal patches, shuffled, and interleaved with five benign patches drawn from a curated “Neutralized Image Data” set (25 everyday images). The selection of the neutral patches is performed by the Multi‑Image Distance Optimization Selection (MIDOS) algorithm, which maximizes the semantic distance between the central patch and I_A while minimizing local perceptual dissonance between adjacent patches. The result is a semantically neutralized composite image I_S that appears innocuous to a human observer and to surface‑level safety checks.

Third, I_S is paired with a specially crafted Chinese inductive prompt. The prompt instructs the target MLLM to treat the input as a 3×3 matrix, mentally reconstruct the four malicious quadrants (positions a₁₁, a₁₃, a₃₁, a₃₃) into a coherent image, and then generate a new image based on that reconstructed content. Because the malicious intent is hidden during the input stage and only emerges within the model’s latent space during reconstruction, the model’s safety guardrails—typically applied to raw inputs—are bypassed, leading to the generation of prohibited images.

The authors built a benchmark of 110 malicious prompts (all rejected by GPT‑5 when submitted directly) and compared BVS against two recent image‑based jailbreak methods: Perception‑Guided (lexical substitution) and Chain‑of‑Jailbreak (iterative image modification). Evaluation was performed by two independent vision models (Doubao‑1.5‑Pro and Qwen2.5‑VL) that labeled outputs as “prohibited” or “benign”. BVS achieved a 98.21 % jailbreak success rate, far surpassing the baselines (≈62 % and ≈71 %).

Key contributions include: (1) a dedicated visual‑safety benchmark and publicly released code; (2) the MIDOS algorithm that quantitatively balances global semantic distance and local perceptual coherence; and (3) the demonstration that a “reconstruction‑then‑generation” attack can evade input‑level safety mechanisms.

The paper also acknowledges limitations: the neutral image pool is small (25 images), the attack relies on Chinese prompts (raising language‑specific concerns), and experiments are confined to a single MLLM (GPT‑5), leaving open questions about generalization to other models such as LLaVA, Gemini, or Claude‑Vision. Moreover, releasing the code and dataset poses dual‑use risks, prompting a call for responsible disclosure and the development of stronger, cross‑modal defenses.

Overall, BVS reveals a critical vulnerability in current MLLM safety alignment: the disconnect between local visual perception and global semantic reasoning. By fragmenting malicious content across spatial locations and deferring its reconstruction to an internal reasoning step, attackers can bypass visual guardrails and compel the model to produce harmful images. Future work should expand neutral image libraries, explore multilingual prompt designs, and devise defense mechanisms that monitor latent reconstructions as well as raw inputs.