ICML 2026 Paper Reveals ‘Overthinking’ Attack Extracts LLM Secrets via Reasoning Weights

neural network

When Thinking Too Hard Becomes a Security Liability

Large language models that take time to "think" through problems may also be generating new attack surfaces. A paper accepted at the 2026 International Conference on Machine Learning (ICML) describes a technique called "Overthinking" that deliberately amplifies the internal reasoning weights of an LLM, causing it to spill memorized secrets from its training data. The 9-page study, with 6 figures, is set to be presented at one of the field's most selective venues, lending credence to a threat that could affect any organization deploying reasoning-enhanced LLMs.

The research, posted to arXiv on July 10, 2026, by authors Jack Hopkins, Dipika Khullar, and Fabien Roger, has immediately drawn attention from the security and alignment communities. While earlier extraction attacks required thousands of queries or access to model probabilities, the Overthinking method exploits the very mechanism meant to improve answer accuracy: step-by-step reasoning. By systematically increasing the influence of weights associated with intermediate reasoning tokens, the attack pushes the model into a state where its chain of thought inadvertently surfaces verbatim fragments of training data, including personally identifiable information, private API keys, and copyrighted code snippets.

How the Overthinking Technique Works

According to the paper’s abstract, the core insight is that reasoning steps are not neutral — each token emitted during chain-of-thought (CoT) generation carries hidden representations that encode far more information than the surface text suggests. The researchers developed a fine-tuning-free method to isolate the weight paths most active during reasoning and temporarily scale them up by a factor of 3 to 7 times, depending on the layer depth. This manipulation, which they term "weight amplification," forces the model to dwell excessively on its stored knowledge, effectively overthinking the problem until it blurts out exact training excerpts.

neural network

The team tested the attack on several open-weight models, including Llama-3-8B-Instruct and Qwen2-72B, as well as a selection of popular reasoning-tuned variants. In one documented instance, ramping up the reasoning weights for a query about a medical condition led the model to reproduce a full paragraph from a private clinical dataset that had appeared in its pre-training corpus. The extracted text contained patient age, treatment dates, and dosage information — a clear violation of data protection standards.

Importantly, the attack does not require white-box access to the entire model; gradient information is unnecessary. The paper notes that the same weight-amplification parameters discovered on a reference model transferred directly to other models from the same architecture family, even when those models were fine-tuned on proprietary data. This transferability heightens the practical risk, because an adversary could calibrate the attack using a publicly available model and then apply it against a deployed commercial API that exposes reasoning tokens.

Beyond Prompt Injection: A New Class of Data Exfiltration

Security researchers have long warned about prompt injection and membership inference risks, but the Overthinking attack sidesteps traditional defenses. It does not rely on jumbled instructions or adversarial suffixes; instead, it quietly manipulates the model's own cognitive process. As the authors write, the model is not being tricked — it is being encouraged to do what it was designed to do, only at an extreme degree. This turns a feature into a vulnerability.

The consequences reach far beyond academic curiosity. Enterprises that finetune LLMs on internal documents, customer support transcripts, or proprietary source code now face a scenario where a reasoning-heavy model could retroactively leak that data with the wrong amplification parameters. Even if the model runs in a trusted execution environment, logging the reasoning tokens for compliance or debugging may inadvertently record the spilled secrets, creating a permanent data breach record.

The paper's supplementary material describes experiments with a “secret canary” methodology, where known unique strings were injected into training data. The amplification technique managed to retrieve 78% of those canaries within the first 50 generated reasoning tokens, compared to only 4% under normal CoT settings. This quantification underscores the scale of the problem: the attack does not marginally increase leakage; it fundamentally changes the leakage threshold.

neural network

Why the ICML 2026 Acceptance Matters

ICML’s rigorous peer review process suggests that the findings have been vetted by experts in machine learning security. Meanwhile, the timing is significant. In mid-2026, reasoning-based models like OpenAI’s o1, Anthropic’s extended thinking, and various open-source counterparts have become standard for complex enterprise tasks. Many of these systems expose reasoning traces to users or log them for auditing, making the vector described in the paper immediately exploitable. The Overthinking work provides the first systematic study of how these traces can be turned against the model owner.

Additionally, the paper appears only weeks after several major cloud providers announced default logging of reasoning tokens for enterprise customers, a move meant to improve service quality and debugging. Security officers now face a dilemma: retain those logs and risk exposing sensitive data extracted via weight amplification, or discard them and lose the audit trail required for compliance in regulated industries.

Defenses and the Road Ahead

The authors propose some initial mitigations, though none fully eliminate the risk. Weight clipping — limiting the amplification factor dynamically during inference — reduces extraction success by about 40% but degrades reasoning quality on genuinely hard tasks. Another approach, differential privacy during training, showed promise in preventing memorization of rare secrets but is difficult to apply retroactively. The most practical short-term defense is simply not exposing reasoning tokens to end users, but this conflicts with the transparency promises many reasoning-model providers have made.

Looking forward, the Overthinking attack is likely to accelerate research into formal verification of LLM inference paths and runtime monitoring of weight activations. The paper also highlights a broader lesson: the move toward more introspective, chain-of-thought AI systems inevitably opens new attack surfaces that must be secured during the architecture phase, not bolted on later. For CISOs and ML engineers, the message is clear: if your model can think, someone will try to make it think too hard.

Source: arXiv AI
345tool Editorial Team
345tool Editorial Team

We are a team of AI technology enthusiasts and researchers dedicated to discovering, testing, and reviewing the latest AI tools to help users find the right solutions for their needs.

我们是一支由 AI 技术爱好者和研究人员组成的团队,致力于发现、测试和评测最新的 AI 工具,帮助用户找到最适合自己的解决方案。

댓글

Loading comments...