Step-by-step reasoning has enabled LLMs to tackle complex problems, but it also introduces a critical vulnerability: a tendency to produce excessively long and useless reasoning chains, a phenomenon known as overthinking. A team from Zhejiang University and Alibaba has shown that this behavior can be deliberately triggered with logically inconsistent prompts, turning into a denial-of-service attack against reasoning-based services. Presented at ICML 2026, the research reveals that overthinking is not an isolated quirk but a vulnerability shared across major reasoning LLMs.

The method uses an evolutionary algorithm that scrambles the logical structure of math problems taken from benchmarks—swapping premises, deleting constraints, or swapping the final question. The resulting unsolvable problems cause models to get stuck in endless reasoning loops. On DeepSeek-R1, outputs grew up to 26 times longer than baseline on the MATH dataset. Qwen3-Thinking, GPT-o3, and Gemini 2.5 Flash also showed significant lengthening. Researcher Wei Cao notes, "overthinking is not a phenomenon specific to individual models, but rather a shared vulnerability among modern reasoning models."

The attack requires no internal model access; just querying as an external user, making it applicable even to closed commercial services. Moreover, malicious prompts generated with a smaller, cheaper model were able to induce the effect on larger LLMs, drastically cutting the attack cost. The goal is not to demonstrate a large-scale attack but to highlight an attack surface that providers can mitigate.

For those running reasoning models in self-hosted environments, the discovery has direct implications. A malicious insider or a publicly exposed endpoint can trigger inference sessions that consume far more VRAM and compute than anticipated, bloating operational costs and TCO. In on-premises setups, where GPU resources are limited and often shared across workloads, a spike in malicious requests could degrade performance for all legitimate users, creating a real bottleneck. Unlike large cloud providers, self-hosted operators usually have less headroom to absorb such spikes without extra investment.

The good news is that defenses exist: output token limits, rate limiting, and prompt filtering can reduce the risk, as the researchers themselves acknowledge. However, adopting them in an on-premises stack requires conscious monitoring of model behavior. For those evaluating local deployment, assessing resilience to overthinking attacks becomes a line item to weigh alongside quantization choices and VRAM sizing.

This kind of threat signals a broader shift: as reasoning models are adopted, the attack surface moves from pure data security to the ability to saturate compute resources with seemingly legitimate queries. It’s a challenge that calls not only for cybersecurity specialists but also for those designing inference infrastructure.