Large reasoning models (LRMs) face a fundamental trade-off between safety and reasoning capability, particularly exhibiting “self-jailbreak”—a phenomenon where models actively override their own safety judgments during complex reasoning to generate harmful content. This work formally defines self-jailbreak for the first time and proposes Chain-of-Guardrail (CoG), a novel safety framework that dynamically identifies unsafe reasoning paths from model-generated traces. CoG employs backtracking analysis and step-level recomposition to inject precise safety signals and rectify unsafe trajectories—without compromising reasoning fidelity. Unlike prior methods that degrade reasoning performance to enforce safety, CoG preserves or even enhances original reasoning capabilities. Experiments across diverse reasoning and safety benchmarks demonstrate that CoG significantly improves safety (e.g., +32.7% refusal rate) while maintaining strong performance on reasoning tasks, thereby breaking the conventional safety–capability trade-off barrier.

Large Reasoning Models (LRMs) demonstrate remarkable capabilities on complex reasoning tasks but remain vulnerable to severe safety risks, including harmful content generation and jailbreak attacks. Existing mitigation strategies rely on injecting heuristic safety signals during training, which often suppress reasoning ability and fail to resolve the safety-reasoning trade-off. To systematically investigate this issue, we analyze the reasoning trajectories of diverse LRMs and uncover a phenomenon we term Self-Jailbreak, where models override their own risk assessments and justify responding to unsafe prompts. This finding reveals that LRMs inherently possess the ability to reject unsafe queries, but this ability is compromised, resulting in harmful outputs. Building on these insights, we propose the Chain-of-Guardrail (CoG), a training framework that recomposes or backtracks unsafe reasoning steps, steering the model back onto safe trajectories while preserving valid reasoning chains. Extensive experiments across multiple reasoning and safety benchmarks demonstrate that CoG substantially improves the safety of current LRMs while preserving comparable reasoning ability, significantly outperforming prior methods that suffer from severe safety-reasoning trade-offs.