attack 2026

Jailbreaking the Matrix: Nullspace Steering for Controlled Model Subversion

Vishal Pramanik 1, Maisha Maliha 2, Susmit Jha 3, Sumit Kumar Jha 2

1 University of Oklahoma

2 University of Florida

3 SRI International

0 citations
α

Published on arXiv

2604.10326

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Achieves state-of-the-art attack success rates with fewer queries than prior jailbreak methods across multiple benchmarks and strong safety defenses

HMNS (Head-Masked Nullspace Steering)

Novel technique introduced

Large language models remain vulnerable to jailbreak attacks -- inputs designed to bypass safety mechanisms and elicit harmful responses -- despite advances in alignment and instruction tuning. We propose Head-Masked Nullspace Steering (HMNS), a circuit-level intervention that (i) identifies attention heads most causally responsible for a model's default behavior, (ii) suppresses their write paths via targeted column masking, and (iii) injects a perturbation constrained to the orthogonal complement of the muted subspace. HMNS operates in a closed-loop detection-intervention cycle, re-identifying causal heads and reapplying interventions across multiple decoding attempts. Across multiple jailbreak benchmarks, strong safety defenses, and widely used language models, HMNS attains state-of-the-art attack success rates with fewer queries than prior methods. Ablations confirm that nullspace-constrained injection, residual norm scaling, and iterative re-identification are key to its effectiveness. To our knowledge, this is the first jailbreak method to leverage geometry-aware, interpretability-informed interventions, highlighting a new paradigm for controlled model steering and adversarial safety circumvention.

Key Contributions

  • Novel jailbreak method (HMNS) that identifies causally responsible attention heads, masks their outputs, and injects perturbations in the orthogonal nullspace
  • Closed-loop detection-intervention cycle that re-identifies causal heads across decoding steps for defense resilience
  • State-of-the-art attack success rates across AdvBench, HarmBench, JBB-Behaviors, and StrongReject with fewer queries than prior methods

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
white_boxinference_timetargeted
Datasets
AdvBenchHarmBenchJBB-BehaviorsStrongReject
Applications
safety-aligned language modelsjailbreak resistance evaluation
Read PDF arXiv Code

Similar Papers

attack

RepIt: Steering Language Models with Concept-Specific Refusal Vectors

2025 0 cit.
100%
attack

Large Language Lobotomy: Jailbreaking Mixture-of-Experts via Expert Silencing

2026 0 cit.
100%
attack

Knowing without Acting: The Disentangled Geometry of Safety Mechanisms in Large Language Models

2026 0 cit.
100%
attack

The Rogue Scalpel: Activation Steering Compromises LLM Safety

2025 4 cit.
100%
attack

Selective Steering: Norm-Preserving Control Through Discriminative Layer Selection

2026 0 cit.
100%
attack

MEUV: Achieving Fine-Grained Capability Activation in Large Language Models via Mutually Exclusive Unlock Vectors

2025 0 cit.
100%
attack

Attributing and Exploiting Safety Vectors through Global Optimization in Large Language Models

2026 0 cit.
100%
attack

Amnesia: Adversarial Semantic Layer Specific Activation Steering in Large Language Models

2026 0 cit.
100%