A Fragile Guardrail: Diffusion LLM's Safety Blessing and Its Failure Mode

Diffusion large language models (D-LLMs) offer an alternative to autoregressive LLMs (AR-LLMs) and have demonstrated advantages in generation efficiency. Beyond the utility benefits, we argue that D-LLMs exhibit a previously underexplored safety blessing: their diffusion-style generation confers intrinsic robustness against jailbreak attacks originally designed for AR-LLMs. In this work, we provide an initial analysis of the underlying mechanism, showing that the diffusion trajectory induces a stepwise reduction effect that progressively suppresses unsafe generations. This robustness, however, is not absolute. We identify a simple yet effective failure mode, termed context nesting, where harmful requests are embedded within structured benign contexts, effectively bypassing the stepwise reduction mechanism. Empirically, we show that this simple strategy is sufficient to bypass D-LLMs' safety blessing, achieving state-of-the-art attack success rates across models and benchmarks. Most notably, it enables the first successful jailbreak of Gemini Diffusion, to our knowledge, exposing a critical vulnerability in commercial D-LLMs. Together, our results characterize both the origins and the limits of D-LLMs' safety blessing, constituting an early-stage red-teaming of D-LLMs.

Key Contributions

• Identifies and mechanistically explains a 'safety blessing' in D-LLMs: the diffusion trajectory's stepwise reduction effect progressively suppresses unsafe token generations, conferring intrinsic robustness against AR-LLM jailbreaks.
• Proposes 'context nesting', a simple prompt-level attack that embeds harmful requests inside structured benign contexts to bypass the stepwise reduction mechanism.
• Demonstrates SOTA jailbreak success rates on multiple D-LLMs, including the first reported successful jailbreak of commercial Gemini Diffusion.

🛡️ Threat Analysis

Details

Similar Papers