cd /news/large-language-models/ai-models-overthink-problems-and-its… · home topics large-language-models article
[ARTICLE · art-50973] src=spectrum.ieee.org ↗ pub= topic=large-language-models verified=true sentiment=↓ negative

AI Models Overthink Problems—and It’s a Security Risk

Researchers from Zhejiang University and Alibaba demonstrated a new denial-of-service attack on large language models by deliberately inducing "overthinking" through logically inconsistent prompts, causing outputs up to 26 times longer than normal. The attack exploits a shared vulnerability in reasoning models from DeepSeek, Alibaba, OpenAI, and Google, potentially degrading service for legitimate users at scale.

read4 min views1 publishedJul 8, 2026

Large language models (LLMs) that can think through problems step-by-step have significantly increased the scope of tasks that AI can tackle. But new research suggests these reasoning capabilities also introduce a critical vulnerability that could allow attackers to slow these systems to a crawl.

While earlier generations of LLMs would immediately produce a response to a user’s request, today’s most advanced models generate an internal monologue where they break down the problem into steps and reason about the best way to tackle it before providing an answer. This has allowed AI to tackle increasingly complex problems, particularly in areas like coding and math. However, previous research has shown that these models are susceptible to sometimes producing excessively long streams of reasoning that do little to boost performance, a phenomenon known as “overthinking.” In research presented this week at the International Conference on Machine Learning 2026 in Seoul, researchers from Zhejiang University and e-commerce giant Alibaba in China demonstrate that they can deliberately induce overthinking by subjecting models to logically inconsistent prompts. The result is a form of denial-of-service attack on commercial AI models.

The team has developed an evolutionary algorithm that corrupts the logical structure of prompts, causing models to spiral into overthinking as they attempt to reason through fundamentally unsolvable problems. Generating longer responses costs more and increases the load on a model provider’s servers, so if done at scale, the researchers say, this could significantly degrade the experience of legitimate users. The attack was effective against reasoning models from leading AI companies including DeepSeek-R1, Alibaba’s Qwen3-Thinking, OpenAI’s GPT-o3, and Google’s Gemini 2.5 Flash and resulted in outputs up to 26 times as long as standard responses on a standard math benchmark.

“Across multiple datasets and reasoning models, our method substantially amplifies the output length,” Wei Cao, a masters student at Zhejiang University, wrote in an email to * IEEE Spectrum*. “Our results suggest that overthinking is not an isolated phenomenon specific to individual models, but rather a shared vulnerability among modern reasoning models.”

The team’s approach builds on previous research from another group of researchers that showed reasoning models tend to overthink when faced with a question in which a key premise has been removed—such as asking how far someone who walks ten miles a day covers in total without specifying how many days they walked for. Rather than identifying that the problem is unsolvable, models often engage in extended but ultimately fruitless reasoning loops in an attempt to answer the question.

Taking the idea a step further, the authors took 940 problems from three math benchmark datasets and used an LLM to break down their logical structure into a set of premises and a final question. The genetic algorithm then jumbled these up using a variety of “mutations,” including swapping premises between problems, adding extra premises to problems, deleting existing premises from problems, and swapping the final questions between two sets of premises.

After each round of mutations, the problems are scored on how many words they cause a target model to output and also whether they increase the frequency of specific linguistic markers of overthinking—words like “but,” “wait,” “maybe,” or “alternatively.” The problems that scored highest on both measures are retained and the remaining ones are jumbled up again, and this process is repeated for five generations. Crucially, the approach doesn’t require access to the internals of a model and can generate malicious prompts by simply querying the target, which makes it possible to attack closed-source commercial services, says Cao.

The researchers found that the approach consistently led to outputs several times longer than those generated by the unmodified questions for the reasoning models they tested it on. The biggest jump came from DeepSeek-R1 on the MATH dataset, which is made up of problems from high school math competitions, where the maximum output was 26.1 times as long as the longest response the model provided to unaltered questions. While the main thrust of the research was focused on math problems, the authors also tested it on coding, scientific reasoning, and dialogue challenges, and observed significant jumps in output length in all three.

One challenge for the approach is that developing the malicious prompts requires repeated queries to expensive reasoning models, which Cao admitted could limit its cost-effectiveness. However, the researchers also demonstrated that when they used a smaller, cheaper model to generate the malicious prompts they were still able to induce the target models to produce outputs several times longer than normal. This ability to transfer malicious prompts between models significantly increases the attack’s feasibility, Cao wrote.

However, he pointed out that the goal of the research is not to develop a practical DoS attack on reasoning models. Factors like the providers’ pricing model, rate limiting policies, context window size, and existing defenses could all impact how effective the approach is. The intention is instead to highlight these models’ vulnerability to logically inconsistent prompts so that providers can attempt to mitigate the problem.

“Our objective is not to demonstrate that large-scale attacks can be launched at negligible cost, but rather to establish that this attack surface exists,” he wrote. “Our results indicate that the vulnerability represents a realistic security concern.”

── more in #large-language-models 4 stories · sorted by recency
── more on @zhejiang university 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/ai-models-overthink-…] indexed:0 read:4min 2026-07-08 ·