This work uncovers a critical security vulnerability in machine unlearning for large reasoning models (LRMs): adversaries can induce the model to produce incorrect answers accompanied by seemingly plausible yet misleading reasoning traces. To address this, we propose the first unlearning attack tailored specifically for LRMs, introducing a novel two-stage precise attack framework. By integrating a differentiable objective function, key token alignment, and a relaxed indicator strategy, our approach effectively overcomes the challenges posed by optimizing long reasoning chains and handling non-differentiable logical constraints. The method operates successfully in both white-box and black-box settings. Experimental results demonstrate its high efficacy in triggering unlearning failures, thereby exposing significant risks in current LRM unlearning mechanisms.

Large language models (LLMs) possess strong semantic understanding, driving significant progress in data mining applications. This is further enhanced by large reasoning models (LRMs), which provide explicit multi-step reasoning traces. On the other hand, the growing need for the right to be forgotten has driven the development of machine unlearning techniques, which aim to eliminate the influence of specific data from trained models without full retraining. However, unlearning may also introduce new security vulnerabilities by exposing additional interaction surfaces. Although many studies have investigated unlearning attacks, there is no prior work on LRMs. To bridge the gap, we first in this paper propose LRM unlearning attack that forces incorrect final answers while generating convincing but misleading reasoning traces. This objective is challenging due to non-differentiable logical constraints, weak optimization effect over long rationales, and discrete forget set selection. To overcome these challenges, we introduce a bi-level exact unlearning attack that incorporates a differentiable objective function, influential token alignment, and a relaxed indicator strategy. To demonstrate the effectiveness and generalizability of our attack, we also design novel optimization frameworks and conduct comprehensive experiments in both white-box and black-box settings, aiming to raise awareness of the emerging threats to LRM unlearning pipelines.