Adversarial Confusion Attack: Disrupting Multimodal Large Language Models

TL;DR

The paper presents the Adversarial Confusion Attack, a method to systematically disrupt multimodal large language models by generating adversarial images that cause incoherent or incorrect outputs, affecting both open-source and proprietary models.

Contribution

It introduces a novel attack that maximizes entropy to disrupt MLLMs, demonstrating transferability and effectiveness in white-box settings.

Findings

Single adversarial images disrupt multiple models

Attack transfers to unseen models

Effective in both full-image and CAPTCHA scenarios

Abstract

We introduce the Adversarial Confusion Attack, a new class of threats against multimodal large language models (MLLMs). Unlike jailbreaks or targeted misclassification, the goal is to induce systematic disruption that makes the model generate incoherent or confidently incorrect outputs. Practical applications include embedding such adversarial images into websites to prevent MLLM-powered AI Agents from operating reliably. The proposed attack maximizes next-token entropy using a small ensemble of open-source MLLMs. In the white-box setting, we show that a single adversarial image can disrupt all models in the ensemble, both in the full-image and Adversarial CAPTCHA settings. Despite relying on a basic adversarial technique (PGD), the attack generates perturbations that transfer to both unseen open-source (e.g., Qwen3-VL) and proprietary (e.g., GPT-5.1) models.