This study investigates whether enhanced reasoning capabilities in long-context language models inherently ensure safety, particularly in scenarios where harmful intent must be inferred through reasoning. To this end, the authors propose a "compositional reasoning attack," which decomposes malicious queries into benign fragments dispersed across a 64k-token context and uses neutral reasoning prompts to induce the model to synthesize harmful outputs. Systematic evaluation across 14 state-of-the-art large language models reveals that stronger reasoning does not improve safety robustness; instead, alignment significantly degrades as context length increases. Notably, increasing computational effort during inference reduces attack success rates by over 50 percentage points. This work is the first to expose the misalignment between reasoning ability and safety in long-context settings and identifies a promising mitigation strategy.

Large language models (LLMs) increasingly combine long-context processing with advanced reasoning, enabling them to retrieve and synthesize information distributed across tens of thousands of tokens. A hypothesis is that stronger reasoning capability should improve safety by helping models recognize harmful intent even when it is not stated explicitly. We test this hypothesis in long-context settings where harmful intent is implicit and must be inferred through reasoning, and find that it does not hold. We introduce compositional reasoning attacks, a new threat model in which a harmful query is decomposed into incomplete fragments that scattered throughout a long context. The model is then prompted with a neutral reasoning query that induces retrieval and synthesis, causing the harmful intent to emerge only after composition. Evaluating 14 frontier LLMs on contexts up to 64k tokens, we uncover three findings: (1) models with stronger general reasoning capability are not more robust to compositional reasoning attacks, often assembling the intent yet failing to refuse; (2) safety alignment consistently degrades as context length increases; and (3) inference-time reasoning effort is a key mitigating factor: increasing inference-time compute reduces attack success by over 50 percentage points on GPT-oss-120b model. Together, these results suggest that safety does not automatically scale with reasoning capability, especially under long-context inference.