AI News HubLIVE
In-site rewrite4 min read

AI Models Overthink Problems—and It’s a Security Risk

Research shows that large language models with reasoning capabilities can be tricked into 'overthinking' using logically inconsistent prompts, leading to a denial-of-service attack. Researchers from Zhejiang University and Alibaba developed an evolutionary algorithm that generates malicious prompts, causing outputs up to 26 times longer in leading models like DeepSeek-R1, Qwen3-Thinking, GPT-o3, and Gemini 2.5 Flash.

SourceIEEE Spectrum AIAuthor: Edd Gent

-->

Raven.config('https://[email protected]/147999').install();

How Flawed Prompts Hamstring Powerful Reasoning Models - IEEE Spectrum

Sign InJoin IEEE

The July issue of IEEE Spectrum is here!

Download PDF ↓

Close bar

AI Models Overthink Problems—and It’s a Security Risk

Share

FOR THE TECHNOLOGY INSIDER

Enjoy more free content and benefits by creating an account

Saving articles to read later requires an IEEE Spectrum account

The Institute content is only available for members

Downloading full PDF issues is exclusive for IEEE Members

Downloading this e-book is exclusive for IEEE Members

Access to Spectrum 's Digital Edition is exclusive for IEEE Members

Following topics is a feature exclusive for IEEE Members

Adding your response to an article requires an IEEE Spectrum account

Create an account to access more content and features on IEEE Spectrum , including the ability to save articles to read later, download Spectrum Collections, and participate in conversations with readers and editors. For more exclusive content and features, consider Joining IEEE .

Join the world’s largest professional organization devoted to engineering and applied sciences and get access to all of Spectrum’s articles, archives, PDF downloads, and other benefits. Learn more about IEEE →

Join the world’s largest professional organization devoted to engineering and applied sciences and get access to this e-book plus all of IEEE Spectrum’s articles, archives, PDF downloads, and other benefits. Learn more about IEEE →

Close

Access Thousands of Articles — Completely Free

Create an account and get exclusive content and features: Save articles, download collections, and post comments — all free! For full access and benefits,

subscribe

to Spectrum.

CREATE AN ACCOUNTSIGN IN

AI Models Overthink Problems—and It’s a Security Risk

Edd Gent

1m

3 min read

Large language models (LLMs) that can think through problems step-by-step have significantly increased the scope of tasks that AI can tackle. But new research suggests these reasoning capabilities also introduce a critical vulnerability that could allow attackers to slow these systems to a crawl.

While earlier generations of LLMs would immediately produce a response to a user’s request, today’s most advanced models generate an internal monologue where they break down the problem into steps and reason about the best way to tackle it before providing an answer. This has allowed AI to tackle increasingly complex problems, particularly in areas like coding and math.

However, previous research has shown that these models are susceptible to sometimes producing excessively long streams of reasoning that do little to boost performance, a phenomenon known as “overthinking.” In research presented this week at the International Conference on Machine Learning 2026 in Seoul, researchers from Zhejiang University and e-commerce giant Alibaba in China demonstrate that they can deliberately induce overthinking by subjecting models to logically inconsistent prompts. The result is a form of denial-of-service attack on commercial AI models.

Evolutionary Prompt Attack on LLMs

The team has developed an evolutionary algorithm that corrupts the logical structure of prompts, causing models to spiral into overthinking as they attempt to reason through fundamentally unsolvable problems. Generating longer responses costs more and increases the load on a model provider’s servers, so if done at scale, the researchers say, this could significantly degrade the experience of legitimate users. The attack was effective against reasoning models from leading AI companies including DeepSeek-R1, Alibaba’s Qwen3-Thinking, OpenAI’s GPT-o3, and Google’s Gemini 2.5 Flash and resulted in outputs up to 26 times as long as standard responses on a standard math benchmark.

“Across multiple datasets and reasoning models, our method substantially amplifies the output length,” Wei Cao, a masters student at Zhejiang University, wrote in an email to IEEE Spectrum. “Our results suggest that overthinking is not an isolated phenomenon specific to individual models, but rather a shared vulnerability among modern reasoning models.”

The team’s approach builds on previous research from another group of researchers that showed reasoning models tend to overthink when faced with a question in which a key premise has been removed—such as asking how far someone who walks ten miles a day covers in total without specifying how many days they walked for. Rather than identifying that the problem is unsolvable, models often engage in extended but ultimately fruitless reasoning loops in an attempt to answer the question.

Taking the idea a step further, the authors took 940 problems from three math benchmark datasets and used an LLM to break down their logical structure into a set of premises and a final question. The genetic algorithm then jumbled these up using a variety of “mutations,” including swapping premises between problems, adding extra premises to problems, deleting existing premises from problems, and swapping the final questions between two sets of premises.

After each round of mutations, the problems are scored on how many words they cause a target model to output and also whether they increase the frequency of specific linguistic markers of overthinking—words like “but,” “wait,” “maybe,” or “alternatively.” The problems that scored highest on both measures are retained and the remaining ones are jumbled up again, and this process is repeated for five generations. Crucially, the approach doesn’t require access to the internals of a model and can generate malicious prompts by simply querying the target, which makes it possible to attack closed-source commercial services, says Cao.

Overthinking Vulnerability in AI Models

The researchers found that the approach consistently led to outputs several times longer than those generated by the unmodified questions for the reasoning models they tested it on. The biggest jump came from DeepSeek-R1 on the MATH dataset, which is made up of problems from high school math competitions, where the maximum output was 26.1 times as long as the longest response the model provided to unaltered questions. While the main thrust of the research was focused on math problems, the authors also tested it on coding, scientific reasoning, and dialogue challenges, and observed significant jumps in output length in all three.

One challenge for the approach is that developing the malicious prompts requires repeated queries to expensive reasoning models, which Cao admitted could limit its cost-effectiveness. However, the researchers also demonstrated that when they used a smaller, cheaper model to generate the malicious prompts they were still able to induce the target models to produce outputs several times longer than normal. This ability to transfer malicious prompts between models significantly increases the attack’s feasibility, Cao wrote.

However, he pointed out that the goal of the research is not to develop a practical DoS attack on reasoning models. Factors like the providers’ pricing model, rate limiting policies, context window size, and existing defenses could all impact how effective the approach is. The intention is instead to highlight these models’ vulnerability to logically inconsistent prompts so that providers can attempt to mitigate the problem.

“Our objective is not to demonstrate that large-scale attacks can be launched at negligible cost, but rather to establish that this attack surface exists,” he wrote. “Our results indicate that the vulnerability represents a realistic security concern.”

From Your Site Articles

“Thinking” Visually Boosts AI Problem Solving ›

It’s Not Just Us: AI Models Struggle With Overthinking ›

AI Models Embrace Humanlike Reasoning ›

Related Articles Around the Web

Reasoning models | OpenAI API ›

What Is a Reasoning Model? | IBM ›

Edd Gent

Stacking Chips Sideways Gives AI More Memory

1h

4 min read

As AI Reshapes Global Energy Systems, Melbourne Leads Through Engineering Collaboration

01 Jul 2026

6 min read

AI Is Designing Radio Chips That Humans Couldn’t Even Imagine

24 Jun 2026

14 min read

ConlangCrafter Turns AI to Imagining Languages

Why Are LLMs so Terrible at Video Games?

Thunderforge Brings AI Agents to Wargames