{"ID":2836793,"CreatedAt":"2026-06-01T04:54:23.091178241Z","UpdatedAt":"2026-06-01T04:54:23.091178241Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2511.20002","arxiv_id":"2511.20002","title":"Semantic Router: On the Feasibility of Hijacking MLLMs via a Single Adversarial Perturbation","abstract":"Multimodal Large Language Models (MLLMs) are increasingly deployed in stateless systems, such as autonomous driving and robotics. This paper investigates a novel threat: Semantic-Aware Hijacking. We explore the feasibility of hijacking multiple stateless decisions simultaneously using a single universal perturbation. We introduce the Semantic-Aware Universal Perturbation (SAUP), which acts as a semantic router, \"actively\" perceiving input semantics and routing them to distinct, attacker-defined targets. To achieve this, we conduct theoretical and empirical analysis on the geometric properties in the latent space. Guided by these insights, we propose the Semantic-Oriented (SORT) optimization strategy and annotate a new dataset with fine-grained semantics to evaluate performance. Extensive experiments on three representative MLLMs demonstrate the fundamental feasibility of this attack, achieving a 66% attack success rate over five targets using a single frame against Qwen.","short_abstract":"Multimodal Large Language Models (MLLMs) are increasingly deployed in stateless systems, such as autonomous driving and robotics. This paper investigates a novel threat: Semantic-Aware Hijacking. We explore the feasibility of hijacking multiple stateless decisions simultaneously using a single universal perturbation. W...","url_abs":"https://arxiv.org/abs/2511.20002","url_pdf":"https://arxiv.org/pdf/2511.20002v2","authors":"[\"Changyue Li\",\"Jiaying Li\",\"Youliang Yuan\",\"Jiaming He\",\"Zhicong Huang\",\"Pinjia He\"]","published":"2025-11-25T07:13:13Z","proceeding":"cs.CV","tasks":"[\"cs.CV\",\"cs.AI\",\"cs.CR\"]","methods":"[\"Large Language Model\",\"Language Model\"]","has_code":false}