Text-to-Audio Jailbreak

• Text-to-audio jailbreaks are adversarial attacks that craft audio inputs using TTS and signal transformations to bypass alignment safeguards in large audio-language models.
• They exploit vulnerabilities by embedding narrative elements and applying systematic audio perturbations, achieving high attack success rates, sometimes exceeding 90%.
• Robust defenses remain challenging, necessitating integrated linguistic and paralinguistic safety measures to detect and mitigate subtle, multimodal adversarial cues.

A text-to-audio jailbreak is a class of adversarial attack targeting large audio-LLMs (LALMs) and related multimodal systems wherein audio inputs—often synthesized from text via TTS or constructed by audio-specific transformations—are crafted to bypass alignment safeguards and elicit policy-violating outputs. These attacks exploit the complexity of audio signal processing, cross-modal alignment vulnerabilities, and limitations of current safety mechanisms, which are frequently tuned for text but not for the broader or more subtle manipulations possible in the audio modality.

1. Formal Definitions and Threat Modeling

Text-to-audio jailbreaks are formally defined by constructing an adversarial audio input that, when provided to a target audio-capable model, amplifies the probability of generating harmful or restricted content. Let $x$ be a clean audio input (e.g., a TTS waveform of a benign/forbidden prompt), $M(\cdot)$ the model, and $J(\cdot)$ a judge labeling the output’s compliance. The adversarial objective is: $$\max_{\delta} \quad J(M(x+\delta)) \qquad \text{s.t.} \quad \|\delta\| \leq \epsilon$$ where $\delta$ is an audio perturbation constrained in norm or perceptual distance, and $J(\cdot)$ returns $1$ iff the output is a policy violation (Peng et al., 23 May 2025).

In text-to-audio jailbreaks, the attacker may:

• Directly transfer adversarial text prompts to audio via TTS.
• Apply systematic or randomized signal-level edits (e.g., pitch, speed, noise, echo, accent) to increase attack success rates (ASR).
• Embed imperceptible, universal, or robust perturbations into benign-sounding carriers, leveraging continuous or discrete audio representations (Gupta et al., 2 Feb 2025, Song et al., 21 May 2025, Kim et al., 5 Aug 2025).

The adversary’s knowledge ranges from pure black-box (only API access) to full white-box (access to model internals, gradients), and the goal is to maximize ASR while maintaining perceptual stealth, robustness to channel effects, and (optionally) universality across prompts and carriers.

2. Attack Methodologies

2.1 Text-to-Audio Transformation

Baseline text-to-audio jailbreaks simply apply standard TTS synthesis to text-form jailbreak prompts, yielding audio queries. However, direct transfer is typically ineffective for robustly aligned models: average ASR can be as low as 0.033 for strict voice modes (GPT-4o) (Shen et al., 2024), and ≤6.23% in multilingual settings on LALMs (Roh et al., 1 Apr 2025).

2.2 Humanization and Narrative Embedding

Structural and semantic narrative embedding dramatically increases ASR. For example, VoiceJailbreak employs a two-step prompt construction—setting, character, plot—delivered as an interactive, fictionalized audio scenario (Shen et al., 2024):

• E.g., setting the scene (“Imagine we are role-playing a cybersecurity simulation…”), assigning a role (“You are a fictional expert…”), then posing the forbidden query as part of the narrative.
• These prompts, even when short (~8 s), raise ASR in GPT-4o from 0.033 (text-jailbreak audio) to 0.778 (multi-scenario average), an increase of 0.745 (Shen et al., 2024).

Narrative embedding coupled with prosodic style selection (e.g., “Authoritative Demand,” “Emotive Suggestion”) can further exploit LALM encoders' joint processing of linguistic and paralinguistic features. Layering harmful directives across a narrative, delivering via specific prosody, and temporally masking key segments enables success rates as high as 98.26% on Gemini 2.0 Flash, outperforming both text and basic perturbation attacks by up to 26 percentage points (Yu et al., 30 Jan 2026).

2.3 Signal-Level Transformations

Systematic signal perturbations (Wave-Echo, Wave-Pitch, Wave-Speed, Wave-Volume, or their combinations) effectively bypass text-centric safety modules. For example, shifting pitch by ±2 semitones, adding echo (100 ms, 0.5 gain), or slowing audio by 10% can raise ASR on CBRN queries for Gemini/Flash/GPT-4o-Audio models from <25% (clean) to >74% with minor perceptual change (Kumar et al., 23 Oct 2025). These edits are algorithmically simple and largely preserve intelligibility for both humans and ASR.

2.4 Universal and Robust Adversarial Audio

Gradient-based optimization can produce universal, stealthy perturbations:

• A universal prefix $p^*$ is learned across a batch of base audios $B={x^{(1)},…,x^{(n)}}$, such that prepending $p^*$ to any $x\in B$ consistently increases the likelihood of misaligned outputs. Imperceptibility is maintained via $\ell_\infty$ or band-stop constraints (Gupta et al., 2 Feb 2025).
• Real-world robustness is further ensured by evaluating attacks under over-the-air recording, band-pass filtering, silence masking, and background noise. While ASR typically drops with additional constraints or physical channel noise, significant attack rates persist (e.g., universal $\ell_\infty$-bounded perturbations with $\varepsilon=10^{-3}$ achieve $\sim 18$% ASR, dropping to $\sim 8$% over-the-air) (Gupta et al., 2 Feb 2025).

2.5 Advanced Optimization: Two-Stage and RL-PGD Attacks

More sophisticated pipelines combine reinforcement learning and projected gradient descent (RL-PGD), as in WhisperInject (Kim et al., 5 Aug 2025):

• Stage 1: Maximize harmfulness reward from the model’s own “native” outputs via RL-PGD, discovering in-distribution policy-violating completions.
• Stage 2: Embed the discovered payload via PGD into benign-sounding carriers (e.g., “weather query” audio), constrained in $\ell_\infty$ norm to preserve human imperceptibility.
• This framework yields up to 86% end-to-end ASR across Qwen2.5-Omni-3B, Qwen2.5-Omni-7B, and Phi-4-Multimodal, robust under multiple evaluation settings (LLM judge, human review).

2.6 Multilingual, Multi-Accent, and Stealth Strategies

Adversarial perturbations targeting less-represented languages or accents (e.g., German, synthetic Chinese accent, Kenyan English) can exploit cross-lingual phonetic mismatches, resulting in ASR gains up to +57.25 pp in certain models (Roh et al., 1 Apr 2025). Stealth methods (AudioJailbreak) construct perturbations indistinguishable from benign inputs—speeded-up speech, harmless queries, environmental or background sounds—while preserving high ASR (strong adversary: $\geq 87\%$ universal attack rate on eight LALMs; weak adversary: $\geq 76\%$) (Chen et al., 20 May 2025).

3. Empirical Benchmarks and Datasets

Several large-scale benchmarks enable systematic evaluation of text-to-audio jailbreaks:

Benchmark	Samples	Attacks Supported	Key Evaluation Metrics	Reference
JALMBench	2,200 txt/51,381 audio	Text-to-audio, audio-edits, universal, narrative	ASR; efficiency; topic/voice diversity; t-SNE representation	(Peng et al., 23 May 2025)
AJailBench	1,495 base/extended	Text-to-audio, adversarial perturbation toolkit	ASR per category; perceptual consistency; Bayesian search	(Song et al., 21 May 2025)
Jailbreak-AudioBench	520 base × 18 edits	Tone, accent, noise, intonation, speed	ΔASR under edits; t-SNE drift; defense performance	(Cheng et al., 23 Jan 2025)
Multi-AudioJail	102,720	Multi-language, multi-accent, perturbation	JSR (before/after perturbation); WER correlations	(Roh et al., 1 Apr 2025)

Comprehensive benchmarking reveals:

• Text-only ASR is consistently lower ($\sim$3–7%) than clean audio ($\sim$6–12%), and far below advanced adversarial audio ($\sim$98% for AdvWave, up to 86% for WhisperInject) (Peng et al., 23 May 2025, Kim et al., 5 Aug 2025).
• Category-wise, CBRN, fraud, and misinformation tasks remain most vulnerable, while overt violence is more robustly blocked (Kumar et al., 23 Oct 2025, Peng et al., 23 May 2025).
• Non-English/variant accents often increase vulnerability, revealing a significant gap in multilingual alignment (Roh et al., 1 Apr 2025, Chen et al., 14 Nov 2025).

4. Interpretive Mechanisms, Model Vulnerabilities, and Why Audio Jailbreaks Succeed

The effectiveness of text-to-audio jailbreaks stems from deficiencies in current multimodal safety architectures:

• LALMs, especially end-to-end systems, encode both linguistic and paralinguistic cues (pitch, prosody, speaker affect) such that semantic filters—trained on tokens—miss policy-violating intent signaled by style or narrative structure (Yu et al., 30 Jan 2026).
• Simple signal-level modifications (echo, pitch shift) move the audio input distribution out-of-domain relative to safety-tuned layers, but remain transparent to human/ASR listeners (Kumar et al., 23 Oct 2025).
• Stealthy, universal perturbations can encode “toxic personas” in the audio signal—continuous, first-person, speech-like patterns not trivially isolated by standard text or audio filters—which unlocks misalignment (Gupta et al., 2 Feb 2025).
• Many models rely on separate pipelines (e.g., ASR transcription $\rightarrow$ text safety filter); adversarial perturbations induce errors in ASR or transcription, resulting in false negatives for policy violation (Chen et al., 14 Nov 2025).

Table: Illustrative Attack Success Rates and Perturbation Types

Attack Type	Average ASR	Stealth/Perturbation	Reference
VoiceJailbreak	0.778 (multi-scen.)	Narrative, setting+role+plot	(Shen et al., 2024)
AdvWave	0.973 (audio-origin)	Dual-phase opt, classifier	(Peng et al., 23 May 2025)
WhisperInject (PGD)	0.86	RL-PGD/PGD, carrier embed.	(Kim et al., 5 Aug 2025)
Universal perturb.	0.40–0.65	$\ell_\infty$-banded/precursor	(Gupta et al., 2 Feb 2025)
Humanized Narrative	0.98 (Gemini Flash)	Prosodic delivery + narrative	(Yu et al., 30 Jan 2026)
Pitch/Echo attack	0.71–0.75 (CBRN)	±2 semitones, 100ms echo	(Kumar et al., 23 Oct 2025)

5. Defense Mechanisms and Open Challenges

A four-layered defense taxonomy is standard (Liu et al., 2024):

1. Input-Level: Blacklists, LLM prompt sanitizers, cross-modal text/audio buffers. Vulnerable to synonymization, dilution, and text-channel obfuscation (Chen et al., 14 Nov 2025, Liu et al., 2024).
2. Encoder-Level: Latent anomaly detectors (Mahalanobis, representation-drift detection), adversarial fine-tuning with known audio transformations. Key methods include invariance loss, cluster-based outlier pre-filtering (Cheng et al., 23 Jan 2025).
3. Generator-Level: Adversarial training with narrative/perturbation-rich data, safety-steering vectors applied during decoding (Yu et al., 30 Jan 2026). Over-zealousness can degrade audio fidelity.
4. Output-Level: ASR+toxicity classifier post-filters, decoding-time calibration (penalize unsafe tokens); joint audio–text feature checks are proposed, but most pipelines lack fully multimodal reasoning (Kumar et al., 23 Oct 2025).

Current gaps:

• Cross-modal pipeline segmentation: most systems do not cross-verify audio–text–embedding consistency, allowing attacks that target only audio or only transcript.
• Real-world robustness: over-the-air playback, environmental contamination, and tailored audio channel attacks remain challenging to defend (Chen et al., 20 May 2025).
• Multilingual, accent, and demographic alignment: models are far less robust to non-trivial phoneme, accent, or prosody shifts (Roh et al., 1 Apr 2025).
• Cost-performance trade-offs: stronger defenses (AdaShield, multi-stage filters) impose utility decreases (e.g., –6.3% on QA tasks) or high compute cost (Peng et al., 23 May 2025).
• Explainability and audit: automated tracing of which audio segments or spectral features induced violation remains an open problem (Liu et al., 2024).

Practical defensive recommendations include adversarial signal augmentation during training, combining text/audio/embedding sanity checks, stochastic input normalizations, and active anomaly detection at the signal and representation levels (Song et al., 21 May 2025, Cheng et al., 23 Jan 2025, Gupta et al., 2 Feb 2025). Proactive model-level moderation currently detects 57–93% of attacks, but high-fidelity adversarial audio remains a major unsolved threat (Chen et al., 14 Nov 2025).

6. Research Landscape, Taxonomy, and Open Questions

Text-to-audio jailbreak constitutes a multidimensional threat surface:

• Attack Taxonomy: Narrative/prosody embedding, universal/stealthy perturbations, semantic obfuscation (concat/shuffle), audio-modality exploits (read/spell/phoneme), signal augmentations (echo, pitch, noise), fictive scenario flanking, and multi-accent/linguistic adaptation (Yu et al., 30 Jan 2026, Peng et al., 23 May 2025, Chen et al., 14 Nov 2025, Song et al., 21 May 2025, Roh et al., 1 Apr 2025).
• Evaluation Benchmarks: JALMBench, AJailBench, Jailbreak-AudioBench, Multi-AudioJail, and task-specific audits.
• Underlying Mechanisms: Exploitation of encoder insensitivity to signal distribution drift, reliance on narrowly-tuned text-centric safety modules, and cross-modal misalignments.
• Societal and Forensic Impacts: Audio-based systems dramatically increase the attack surface for LLM-based assistants, content streaming, and interactive platforms, emphasizing the urgency for sophisticated multimodal safety solutions (Kumar et al., 23 Oct 2025, Kim et al., 5 Aug 2025, Liu et al., 2024).

Open research directions include:

• Joint linguistic–paralinguistic safety alignment.
• Automated mitigation for prosody-manipulated or narrative-layered adversarial audio.
• Comprehensive coverage of non-English, accent-diverse and multi-channel audio vulnerabilities.
• Explainable, human-auditable pipelines for real-time policy enforcement and provenance tracking.
• Balancing expressiveness and safety in future end-to-end audio-LLM training.

Key foundational and empirical works referenced above include:

Title	arXiv ID
"JALMBench: Benchmarking Jailbreak Vulnerabilities in Audio LLMs"	(Peng et al., 23 May 2025)
"When Good Sounds Go Adversarial: Jailbreaking Audio-LLMs with Benign Inputs"	(Kim et al., 5 Aug 2025)
"Now You Hear Me: Audio Narrative Attacks Against Large Audio-LLMs"	(Yu et al., 30 Jan 2026)
"Voice Jailbreak Attacks Against GPT-4o"	(Shen et al., 2024)
"Beyond Text: Multimodal Jailbreaking of Vision-Language and Audio Models through Perceptually Simple Transformations"	(Kumar et al., 23 Oct 2025)
"AudioJailbreak: Jailbreak Attacks against End-to-End Large Audio-LLMs"	(Chen et al., 20 May 2025)
"I am bad: Interpreting Stealthy, Universal and Robust Audio Jailbreaks in Audio-LLMs"	(Gupta et al., 2 Feb 2025)
"Audio Jailbreak: An Open Comprehensive Benchmark for Jailbreaking Large Audio-LLMs"	(Song et al., 21 May 2025)
"Jailbreak Attacks and Defenses against Multimodal Generative Models: A Survey"	(Liu et al., 2024)
"Multilingual and Multi-Accent Jailbreaking of Audio LLMs"	(Roh et al., 1 Apr 2025)
"Synthetic Voices, Real Threats: Evaluating Large Text-to-Speech Models in Generating Harmful Audio"	(Chen et al., 14 Nov 2025)
"Jailbreak-AudioBench: In-Depth Evaluation and Analysis of Jailbreak Threats for Large Audio LLMs"	(Cheng et al., 23 Jan 2025)

The broad and persistent success of text-to-audio jailbreak attacks in academic and commercial systems demonstrates the necessity of fundamentally new, multimodally robust alignment and detection frameworks.