Stealth Fine-Tuning: Efficiently Breaking Alignment in RVLMs Using Self-Generated CoT

TL;DR

This paper introduces Stealth Fine-Tuning, a low-cost method to bypass safety alignment in RVLMs by exploiting their chain-of-thought traces, using minimal data and computational resources.

Contribution

The work presents a novel attack technique called Stealth Fine-Tuning that effectively breaks RVLM safety alignment with limited data and time, outperforming previous methods.

Findings

Outperforms IDEATOR by 38.66% ASR with only 499 samples

Retains original reasoning abilities after fine-tuning

Demonstrates effectiveness across multiple benchmarks

Abstract

Reasoning-augmented Vision-Language Models (RVLMs) rely on safety alignment to prevent harmful behavior, yet their exposed chain-of-thought (CoT) traces introduce new attack surfaces. In this work, we find that the safety alignment of RVLMs can be easily broken through a novel attack method termed \textbf{Stealth Fine-Tuning}. Our method elicits harmful reasoning traces through \textbf{segment-level interference} and reuses the self-generated outputs as supervised fine-tuning data. To facilitate this, we introduce a \textbf{turn-based weighted} loss that minimizes distribution shift. In our experiment, with only 499 samples and under 3 hours on a single A100 (QLoRA), Stealth Fine-Tuning outperforms IDEATOR by 38.66\% ASR while preserving general reasoning ability, as the tuned model retains the original representation distribution. Experiments on AdvBench and several general benchmarks demonstrate that Stealth Fine-Tuning is a low-cost and highly effective way to bypass alignment defenses. \textcolor{red}{\textbf{Disclaimer: This paper contains content that may be disturbing or offensive.}}