This work addresses the vulnerability of large language reasoning models to novel jailbreaking attacks exploiting their explicit chain-of-thought mechanisms, highlighting limitations in existing static template-based approaches regarding diversity, adaptability, and effectiveness. To overcome these challenges, the authors propose AE-CoT, an adaptive evolutionary chain-of-thought jailbreaking framework that rewrites harmful objectives through teacher role-playing, decomposes them into semantically coherent reasoning segments, and performs multi-generational evolutionary search within a structured representation space. AE-CoT introduces a novel segment-level crossover operator and an adaptive mutation rate controller, coupled with an independent harmfulness scoring model, significantly enhancing attack diversity and success rates. Extensive experiments demonstrate that AE-CoT consistently outperforms state-of-the-art methods across multiple models and datasets, confirming its efficacy and generalization capability.

Large Reasoning Models (LRMs) have demonstrated remarkable capabilities in reasoning and generation tasks and are increasingly deployed in real-world applications. However, their explicit chain-of-thought (CoT) mechanism introduces new security risks, making them particularly vulnerable to jailbreak attacks. Existing approaches often rely on static CoT templates to elicit harmful outputs, but such fixed designs suffer from limited diversity, adaptability, and effectiveness. To overcome these limitations, we propose an adaptive evolutionary CoT jailbreak framework, called AE-CoT. Specifically, the method first rewrites harmful goals into mild prompts with teacher role-play and decomposes them into semantically coherent reasoning fragments to construct a pool of CoT jailbreak candidates. Then, within a structured representation space, we perform multi-generation evolutionary search, where candidate diversity is expanded through fragment-level crossover and a mutation strategy with an adaptive mutation-rate control mechanism. An independent scoring model provides graded harmfulness evaluations, and high-scoring candidates are further enhanced with a harmful CoT template to induce more destructive generations. Extensive experiments across multiple models and datasets demonstrate the effectiveness of the proposed AE-CoT, consistently outperforming state-of-the-art jailbreak methods.