The increasing sophistication of large vision-language models (LVLMs) has been accompanied by advances in safety alignment mechanisms designed to prevent harmful content generation. However, these defenses remain vulnerable to sophisticated adversarial attacks. Existing jailbreak methods typically rely on direct and semantically explicit prompts, overlooking subtle vulnerabilities in how LVLMs compose information over multiple reasoning steps. In this paper, we propose a novel and effective jailbreak framework inspired by Return-Oriented Programming (ROP) techniques from software security. Our approach decomposes a harmful instruction into a sequence of individually benign visual gadgets. A carefully engineered textual prompt directs the sequence of inputs, prompting the model to integrate the benign visual gadgets through its reasoning process to produce a coherent and harmful output. This makes the malicious intent emergent and difficult to detect from any single component. We validate our method through extensive experiments on established benchmarks including SafeBench and MM-SafetyBench, targeting popular LVLMs. Results show that our approach consistently and substantially outperforms existing baselines on state-of-the-art models, achieving near-perfect attack success rates (over 0.90 on SafeBench) and improving ASR by up to 0.39. Our findings reveal a critical and underexplored vulnerability that exploits the compositional reasoning abilities of LVLMs, highlighting the urgent need for defenses that secure the entire reasoning process.

翻译：随着大型视觉语言模型（LVLMs）日益复杂，旨在防止有害内容生成的安全对齐机制也取得了进展。然而，这些防御措施在面对复杂的对抗攻击时依然脆弱。现有的越狱方法通常依赖于直接且语义明确的提示，忽视了LVLMs在多步推理过程中组合信息时存在的微妙漏洞。本文受软件安全领域面向返回编程（ROP）技术的启发，提出了一种新颖且有效的越狱框架。我们的方法将有害指令分解为一系列单独良性的视觉“代码片段”。通过精心设计的文本提示引导输入序列，促使模型在其推理过程中整合这些良性视觉片段，从而生成连贯且有害的输出。这使得恶意意图在整体中涌现，难以从任何单一组件中被检测。我们在包括SafeBench和MM-SafetyBench在内的成熟基准测试上，针对主流LVLMs进行了大量实验验证。结果表明，我们的方法在先进模型上持续且显著地超越现有基线，实现了接近完美的攻击成功率（在SafeBench上超过0.90），并将攻击成功率最高提升了0.39。我们的研究揭示了一种关键且尚未被充分探索的漏洞，该漏洞利用了LVLMs的组合推理能力，凸显了保障整个推理过程安全的防御机制的紧迫需求。