{"ID":3050110,"CreatedAt":"2026-06-04T02:13:16.786527022Z","UpdatedAt":"2026-06-06T10:38:57.550619125Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2606.04717","arxiv_id":"2606.04717","title":"Selection-Aware Diagnostics for Chain-of-Thought Answer Hijacking","abstract":"We study a controlled numeric proxy for chain-of-thought (CoT) answer hijacking, motivated by attacks in which benign-looking reasoning steers a harmful final answer. CoT wrappers on GSM8K and MATH-500 flip final answers away from gold labels. Rather than treating activation patching as clean-trace restoration, we ask where hijacked trajectories are fragile and whether recovery depends on a same-problem clean source. Across Qwen2.5-7B and Llama3-8B on GSM8K few-shot, puzzle, and sycophant hijacks, three few-shot/puzzle cells pass confirmatory $K{=}1$ localization after Bonferroni correction. A selection-aware 50/50 band validation preserves held-out in-band minus out-of-band gaps of +32.6, +45.1, and +17.7 points for Qwen-puzzle, Llama3-fewshot, and Llama3-puzzle, while exact $\\Lstar$ agreement is much less stable. Qwen-fewshot remains exploratory, and sycophant cells are temporal-diffuse under short patches. A BF16 Qwen-puzzle full-band sweep preserves the band signal ($n{=}30$, spread 0.33 at $K{=}1$, peak layer 20), supporting the conclusion that the band is not only an INT4 artifact. Fixed-hook GSM8K reruns preserve recovery in both primary puzzle cells: Qwen-puzzle recovers 47.0\\% at $n{=}100$ (47/100; Wilson 95\\% CI [37.5\\%, 56.7\\%]), while Llama3-puzzle recovers 39.0\\% at $n{=}100$ (39/100; [30.0\\%, 48.8\\%]). Frozen transfer to MATH-500 recovers 26.0\\% of qualified cases in the largest fixed-transfer run (13/50; Wilson 95\\% CI [15.9\\%, 39.6\\%]). Source controls change the mechanism interpretation. Paired bootstraps give finite-sample non-separation between clean and random sources in Qwen-fewshot (+3.0 points, 95\\% CI [-18.2,+27.3]) and Llama3-puzzle at expanded $n{=}60$ (clean--random -8.3 [-21.7,+5.0]), while Llama3-fewshot is content-mediated (+40.0 [+16.7,+60.0]).","short_abstract":"We study a controlled numeric proxy for chain-of-thought (CoT) answer hijacking, motivated by attacks in which benign-looking reasoning steers a harmful final answer. CoT wrappers on GSM8K and MATH-500 flip final answers away from gold labels. Rather than treating activation patching as clean-trace restoration, we ask...","url_abs":"https://arxiv.org/abs/2606.04717","url_pdf":"https://arxiv.org/pdf/2606.04717v1","authors":"[\"Jianwei Tai\"]","published":"2026-06-03T10:49:43Z","proceeding":"cs.CR","tasks":"[\"cs.CR\",\"cs.CY\"]","methods":"[\"LoRA\"]","has_code":false}