This study systematically investigates the security advantages and failure mechanisms of diffusion-based large language models (D-LLMs) against conventional autoregressive jailbreak attacks. Through red-teaming evaluations, diffusion trajectory analysis, and multi-model benchmarking, it reveals for the first time that D-LLMs inherently suppress harmful content through their iterative diffusion generation process, while also identifying critical vulnerabilities under specific contextual structures. To exploit this weakness, the work introduces a novel and highly effective “context nesting” jailbreak strategy, achieving state-of-the-art attack success rates across multiple mainstream D-LLMs and, notably, the first successful compromise of Gemini Diffusion—thereby exposing significant limitations in current safety mechanisms.

Diffusion large language models (D-LLMs) offer an alternative to autoregressive LLMs (AR-LLMs) and have demonstrated advantages in generation efficiency. Beyond the utility benefits, we argue that D-LLMs exhibit a previously underexplored safety blessing: their diffusion-style generation confers intrinsic robustness against jailbreak attacks originally designed for AR-LLMs. In this work, we provide an initial analysis of the underlying mechanism, showing that the diffusion trajectory induces a stepwise reduction effect that progressively suppresses unsafe generations. This robustness, however, is not absolute. We identify a simple yet effective failure mode, termed context nesting, where harmful requests are embedded within structured benign contexts, effectively bypassing the stepwise reduction mechanism. Empirically, we show that this simple strategy is sufficient to bypass D-LLMs'safety blessing, achieving state-of-the-art attack success rates across models and benchmarks. Most notably, it enables the first successful jailbreak of Gemini Diffusion, to our knowledge, exposing a critical vulnerability in commercial D-LLMs. Together, our results characterize both the origins and the limits of D-LLMs'safety blessing, constituting an early-stage red-teaming of D-LLMs.