[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-llm-guardrails-vulnerable-to-denialofservice-loops":10},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":22,"tags":36,"sources":40,"feedback":44,"feedback_at":22,"cost_usd":44,"total_tokens":44},1207,"llm-guardrails-vulnerable-to-denialofservice-loops","LLM guardrails vulnerable to denial‑of‑service loops","Researchers show crafted prompts can force safety layers into costly reasoning cycles, crippling shared AI agents.","LLM‑based guardrails can be trapped in endless reasoning, turning them into denial‑of‑service weapons.\n\nThe paper introduces two attack pipelines. One uses a beam‑search optimiser that feeds an LLM a bank of strategies to generate payloads that maximise the length of the guardrail’s internal chain‑of‑thought. The second relies on structural mutations that exploit the guardrail’s schema‑following logic with far less compute. In controlled tests the payloads inflate token counts by 13‑63× on eight popular model backbones, including Claude, GPT, Gemini, DeepSeek and Qwen. When deployed in real‑world agents—web bots, desktop helpers, code generators and multi‑agent systems—the same tricks cause latency spikes up to 148×, and a single poisoned document can hog shared guardrail resources, starving other agents.\n\nWhy it matters: guardrails are marketed as the last line of defense against jailbreaks, yet their own reasoning engine becomes the Achilles’ heel. The attacks bypass content filters entirely by exhausting compute, not by slipping past semantic checks. This flips the security narrative: protecting prompt integrity may now require throttling or cost‑bounding the guardrail’s reasoning depth, a design shift not yet reflected in most commercial deployments.\n\nIn short, the study shows that availability, not just correctness, is at risk for LLM agents. Until vendors harden guardrails against runaway loops, shared AI services could see intermittent outages triggered by a single malicious document.","[\"llm\",\"security\",\"ai-agent\"]","2026-06-15T04:00:00.000Z","2026-06-16T17:59:46.724Z","2026-06-16T17:59:49.640Z","published",null,[24,30,33],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"Add a clear concluding paragraph that summarizes the findings and their implications for readers.","resolved",{"id":31,"reviewer":26,"round":32,"reason":28,"status":29},"editor-r2",2,{"id":34,"reviewer":26,"round":35,"reason":28,"status":29},"editor-r3",3,[37,38,39],"llm","security","ai-agent",[41],{"name":42,"url":43},"arXiv cs.AI","https:\u002F\u002Farxiv.org\u002Fabs\u002F2606.14517",0]