English

Safer by Diffusion, Broken by Context: Diffusion LLM's Safety Blessing and Its Failure Mode

Machine Learning 2026-04-03 v2

Abstract

Diffusion large language models (D-LLMs) offer an alternative to autoregressive LLMs (AR-LLMs) and have demonstrated advantages in generation efficiency. Beyond the utility benefits, we argue that D-LLMs exhibit a previously underexplored safety blessing: their diffusion-style generation confers intrinsic robustness against jailbreak attacks originally designed for AR-LLMs. In this work, we provide an initial analysis of the underlying mechanism, showing that the diffusion trajectory induces a stepwise reduction effect that progressively suppresses unsafe generations. This robustness, however, is not absolute. Following this analysis, we highlight a simple yet effective failure mode, context nesting, in which harmful requests are embedded within structured benign contexts. Empirically, we show that this simple black-box strategy bypasses D-LLMs' safety blessing, achieving state-of-the-art attack success rates across models and benchmarks. Notably, it enables the first successful jailbreak of Gemini Diffusion to our knowledge, exposing a critical vulnerability in proprietary D-LLMs. Together, our results characterize both the origins and the limits of D-LLMs' safety blessing, constituting an early-stage red-teaming of D-LLMs.

Keywords

Cite

@article{arxiv.2602.00388,
  title  = {Safer by Diffusion, Broken by Context: Diffusion LLM's Safety Blessing and Its Failure Mode},
  author = {Zeyuan He and Yupeng Chen and Lang Lin and Yihan Wang and Shenxu Chang and Eric Sommerlade and Philip Torr and Junchi Yu and Adel Bibi and Jialin Yu},
  journal= {arXiv preprint arXiv:2602.00388},
  year   = {2026}
}
R2 v1 2026-07-01T09:28:52.201Z