This study addresses a critical privacy vulnerability in existing machine unlearning methods: despite formal removal of target data, models may retain residual recognition capabilities when exposed to adversarially perturbed inputs, thereby risking unintended information leakage. To tackle this issue, the work formally defines the problem of residual knowledge under input perturbations in high-dimensional settings and introduces RURK, a penalty-based fine-tuning strategy designed to suppress a model’s ability to re-identify perturbed forgotten samples. Extensive experiments demonstrate that mainstream unlearning approaches commonly exhibit such residual knowledge, whereas RURK effectively mitigates this risk, significantly enhancing forgetting security across standard vision benchmarks.

Machine unlearning offers a practical alternative to avoid full model re-training by approximately removing the influence of specific user data. While existing methods certify unlearning via statistical indistinguishability from re-trained models, these guarantees do not naturally extend to model outputs when inputs are adversarially perturbed. In particular, slight perturbations of forget samples may still be correctly recognized by the unlearned model - even when a re-trained model fails to do so - revealing a novel privacy risk: information about the forget samples may persist in their local neighborhood. In this work, we formalize this vulnerability as residual knowledge and show that it is inevitable in high-dimensional settings. To mitigate this risk, we propose a fine-tuning strategy, named RURK, that penalizes the model's ability to re-recognize perturbed forget samples. Experiments on vision benchmarks with deep neural networks demonstrate that residual knowledge is prevalent across existing unlearning methods and that our approach effectively prevents residual knowledge.