The Side Effects of Being Smart: Safety Risks in MLLMs' Multi-Image Reasoning

TL;DR

This paper introduces MIR-SafetyBench, a benchmark for assessing safety risks in multi-image reasoning by MLLMs, revealing that more advanced models tend to be more vulnerable and often produce superficial or evasive responses.

Contribution

It presents the first safety benchmark for multi-image reasoning in MLLMs and provides extensive evaluation revealing safety vulnerabilities correlated with reasoning capabilities.

Findings

More advanced models are more vulnerable on MIR-SafetyBench.

Many safe responses are superficial or evasive.

Unsafe generations show lower attention entropy.

Abstract

As Multimodal Large Language Models (MLLMs) acquire stronger reasoning capabilities to handle complex, multi-image instructions, this advancement may pose new safety risks. We study this problem by introducing MIR-SafetyBench, the first benchmark focused on multi-image reasoning safety, which consists of 2,676 instances across a taxonomy of 9 multi-image relations. Our extensive evaluations on 19 MLLMs reveal a troubling trend: models with more advanced multi-image reasoning can be more vulnerable on MIR-SafetyBench. Beyond attack success rates, we find that many responses labeled as safe are superficial, often driven by misunderstanding or evasive, non-committal replies. We further observe that unsafe generations exhibit lower attention entropy than safe ones on average. This internal signature suggests a possible risk that models may over-focus on task solving while neglecting safety constraints. Our code and data are available at https://github.com/thu-coai/MIR-SafetyBench.