BadWorld: Adversarial Attacks on World Models

22d ago · Global · primary source: export.arxiv.org

A new adversarial framework called BadWorld can force visual world models to produce catastrophic prediction failures using visually indistinguishable input perturbations, according to research submitted to arXiv on 15 June 2026 [1]. The technique exposes what its authors describe as severe structural fragility in models that synthesize interactive video rollouts from a single image. Visual world models, or VWMs, generate action-conditioned future frames from a single context image, a capability increasingly used in robotics and autonomous systems [1][6]. Standard adversarial attacks, which typically rely on comparing outputs against ground-truth future videos, cannot assess VWM vulnerability because attackers lack access to those future frames and cannot predict subsequent user controls [1][2]. BadWorld overcomes both constraints through two technical components: a self-supervised velocity attack that disrupts the model's early denoising dynamics without requiring future supervision, and a trajectory-adaptive bi-level optimization that mines hard control sequences to produce perturbations that remain effective across unpredictable user actions [1][3]. The framework was evaluated on representative VWMs handling both continuous and discrete controls [1]. The resulting adversarial images, which appear visually indistinguishable from clean inputs, reliably triggered incomplete denoising, structural collapse, and control inconsistency in generated rollouts [1][2]. These degradation patterns differ from earlier work on generative world models. A separate study published on arXiv, titled "When World Models Dream Wrong," demonstrated physical-conditioned attacks that induced semantic and logic-level distortion while preserving perceptual fidelity, reducing 3D detection performance by roughly 4% and worsening open-loop planning performance by roughly 20% when attacked videos were used for training [4]. Adversarial machine learning research has historically focused on evasion attacks, data poisoning, and model extraction across classifiers and language models [5]. The BadWorld findings extend this threat landscape to autoregressive world models, where the consequences of structural collapse carry direct implications for safety-critical deployment [1][8]. The AI safety field has gained significant attention since 2023, with the United States and United Kingdom each establishing dedicated AI Safety Institutes, though researchers have expressed concern that safety measures are not keeping pace with rapid capability advances [8]. The authors note that the same attack mechanism also offers a practical tool for privacy protection, as it can drive model outputs into out-of-distribution behavior when sensitive scenes are being processed [1][3]. The paper was submitted on 15 June 2026 to the Computer Vision and Pattern Recognition section of arXiv [1].

safety-researchresearch-papertool-release

Background sources we checked (10)
  • arxiv.org ↗ Visual world models (VWMs) synthesize interactive, action-conditioned rollouts from a single context image. However, it remains an open question how robust these models are to adversarial perturbations. Standard adversarial attacks fail to assess this vulnerability because attack…
  • arxiv.org ↗ Visual world models (VWMs) synthesize interactive, action-conditioned rollouts from a single context image. However, it remains an open question how robust these models are to adversarial perturbations. Standard adversarial attacks fail to assess this vulnerability because attack…
  • arxiv.org ↗ [2602.18739v1] When World Models Dream Wrong: Physical-Conditioned Adversarial Attacks against World Models ... # Title:When World Models Dream Wrong: Physical-Conditioned Adversarial Attacks against World Models ... > Abstract:Generative world models (WMs) are increasingly used …
  • en.wikipedia.org ↗ Adversarial machine learning is the study of the attacks on machine learning algorithms, and of the defenses against such attacks. Machine learning techniques are mostly designed to work on specific problem sets, under the assumption that the training and test data are generated …
  • en.wikipedia.org ↗ Generative artificial intelligence (GenAI) is a subfield of artificial intelligence (AI) that uses generative models to generate text, images, videos, audio, software code (vibe coding) or other forms of data. These models learn the underlying patterns and structures of their tra…
  • en.wikipedia.org ↗ Prompt injection is a cybersecurity exploit and an attack vector in which innocuous-looking inputs (i.e. prompts) are designed to cause unintended behavior in machine learning models, particularly large language models (LLMs). The attack takes advantage of the model's inability t…
  • en.wikipedia.org ↗ AI safety is an interdisciplinary field focused on preventing accidents, misuse, or other harmful consequences arising from artificial intelligence systems. It encompasses AI alignment (which aims to ensure AI systems behave as intended), monitoring AI systems for risks, and enha…
  • info.arxiv.org ↗ arXiv Labs - arXiv info | arXiv e-print repository Skip to content # arXiv Labs Attention arXiv Users: arXiv Labs is pausing new proposals ## What are arXiv Labs? arXiv Labs are a way for the community to contribute new, useful features to arXiv. These integrations are avail…
  • blog.arxiv.org ↗ arXivLabs: a space for community innovation – arXiv blog arXiv has launched a new, formalized framework enabling innovative collaborations with individuals and organizations. “Members of our community want to contribute tools that enhance the arXiv experience, and we val…
  • info.arxiv.org ↗ arXivLabs: Showcase - arXiv info | arXiv e-print repository ... # arXivLabs: Showcase ... arXiv is surrounded by a community of researchers and developers working at the cutting edge of information science and technology. ... While the arXiv team is focused on our core mission—pr…

Sources

Spot something wrong? Report an issue