AdvSplat: Adversarial Attacks on Feed-Forward Gaussian Splatting Models

TL;DR

AdvSplat systematically studies adversarial attacks on feed-forward 3D Gaussian Splatting models, revealing their vulnerabilities and demonstrating how imperceptible input perturbations can significantly disrupt 3D reconstruction quality.

Contribution

This paper introduces the first adversarial attack framework for feed-forward 3D Gaussian Splatting models, including novel black-box algorithms and extensive experimental validation.

Findings

White-box attacks expose fundamental vulnerabilities.

Black-box algorithms effectively disrupt models with minimal queries.

Imperceptible perturbations significantly impair 3D reconstruction.

Abstract

3D Gaussian Splatting (3DGS) is increasingly recognized as a powerful paradigm for real-time, high-fidelity 3D reconstruction. However, its per-scene optimization pipeline limits scalability and generalization, and prevents efficient inference. Recently emerged feed-forward 3DGS models address these limitations by enabling fast reconstruction from a few input views after large-scale pretraining, without scene-specific optimization. Despite their advantages and strong potential for commercial deployment, the use of neural networks as the backbone also amplifies the risk of adversarial manipulation. In this paper, we introduce AdvSplat, the first systematic study of adversarial attacks on feed-forward 3DGS. We first employ white-box attacks to reveal fundamental vulnerabilities of this model family. We then develop two improved, practically relevant, query-efficient black-box algorithms that optimize pixel-space perturbations via a frequency-domain parameterization: one based on gradient estimation and the other gradient-free, without requiring any access to model internals. Extensive experiments across multiple datasets demonstrate that AdvSplat can significantly disrupt reconstruction results by injecting imperceptible perturbations into the input images. Our findings surface an overlooked yet urgent problem in this domain, and we hope to draw the community's attention to this emerging security and robustness challenge.