This work addresses the vulnerability of safety alignment mechanisms in current large audio-language models, which are typically compromised by conventional jailbreaking methods that embed malicious content. The authors propose a novel paradigm of acoustic perturbation, reframing audio not merely as a content carrier but as an alignment-disrupting signal. By leveraging acoustically derived latent semantic (ALS) features—extracted from the model’s own generative priors—they construct a universal set of instruction-agnostic adversarial audio prompts. This approach induces jailbreaking without any modification to the input text and requires no instance-specific optimization. Evaluated across ten prominent audio-language models and five benchmark datasets, the method achieves state-of-the-art attack success rates, exposing a fundamental fragility in cross-modal alignment mechanisms.

The integration of audio modality into Large Audio Language Models (LALMs) significantly expands their attack surface. Existing jailbreak paradigms predominantly treat audio as a carrier for malicious payloads, relying on semantic optimization, acoustic parameter control, or additive perturbation to embed harmful content into the audio signal. In this work, we challenge this necessity and propose a new paradigm in which the role of audio shifts from content injection to safety alignment interference. We reveal that LALM safety alignment can be compromised solely by specific Acoustic Latent Semantics (ALS), the underlying paralinguistic features intrinsic to the priors of audio generative models. Distinct from previous works that leverage explicit acoustic parameters to merely style malicious audio, we demonstrate that interference audio, benign in content but infused with specific ALS, can serve as a universal jailbreak trigger. Leveraging this insight, we propose the Acoustic Interference Attack (AIA), which decouples the attack payload from the audio. Specifically, AIA employs a set of universal, instruction-neutral interference audio, enabling standard malicious text queries to bypass safety alignment without instance-specific optimization. Extensive experiments on 10 LALMs across five datasets demonstrate that AIA achieves the state-of-the-art attack success rate. Furthermore, our interpretability analysis uncovers the inference path drift induced by AIA and identifies the inherent effective patterns within ALS, revealing the fundamental vulnerability of cross-modal alignment in LALMs.