Researchers say nearly-inaudible audio can hijack voice AIs; paper claims demos on Mistral, Microsoft

A newly posted research paper says attackers may be able to use nearly inaudible audio to steer advanced voice AI systems into behavior they were not supposed to perform, including what the authors describe as unauthorized actions by commercial voice agents from Mistral AI and Microsoft Azure.

The paper, “Hijacking Large Audio-Language Models via Context-Agnostic and Imperceptible Auditory Prompt Injection,” was posted to arXiv as arXiv:2604.14604. The arXiv record says version 1 was submitted April 16, 2026, and lists the authors as Meng Chen, Kun Wang, Li Lu, Jiaheng Zhang and Tianwei Zhang.

The central issue is bigger than bad transcription or a chatbot giving a strange answer. Large audio-language models combine speech and language processing for voice interactions, and some are connected to downstream tools or function-calling systems that can carry out tasks. In products built that way, manipulating the audio channel could become a security problem because the model may not just mishear a user — it may take an action based on what it thinks it heard.

The researchers call their attack method “AudioHijack.” In the abstract, they describe it as a way to generate context-agnostic and imperceptible adversarial audio, meaning the injected sound is designed to work across different user prompts while remaining difficult for people to notice. The paper says the system uses end-to-end optimization and several supporting techniques to make the attack transfer across models and blend the perturbations into natural reverberation.

According to the abstract, the authors tested the method on 13 state-of-the-art large audio-language models across six categories of misbehavior. The paper reports average success rates ranging from 79% to 96% on unseen user contexts, while maintaining what it describes as high acoustic fidelity. Those results are claims from the paper and were not independently verified in this report.

The most consequential claim involves commercial products. The arXiv abstract says: “Real-world studies demonstrate that commercial voice agents from Mistral AI and Microsoft Azure can be induced to execute unauthorized actions on behalf of users.” As of 04:11 UTC on April 17, no public statement from Mistral AI or Microsoft Azure had been found confirming or responding to the paper, and no independent third-party reproduction of those demonstrations had been identified.

That matters in particular for systems such as Microsoft’s Azure voice and speech tooling, which is designed to connect spoken input with downstream actions and function-calling workflows. If an audio prompt injection can reliably alter model behavior in that setting, the risk goes beyond speech recognition errors and into operational misuse of voice-driven software.

Security researchers have warned for years that audio can be an attack surface. Earlier work dating back to 2016 showed “hidden voice commands” and other adversarial audio attacks against speech systems. What is newer here is the target. Rather than focusing on a standalone speech recognizer, this paper examines integrated voice AI systems that combine audio understanding with large language model behavior and, in some cases, action-taking capabilities.

The paper’s arXiv entry also says it was accepted by IEEE S&P 2026, a major security conference, which gives the work added relevance. But the most attention-grabbing claims — especially the reported demonstrations involving Mistral AI and Microsoft Azure voice agents — remain, for now, claims made by the authors in a newly posted paper, without public vendor confirmation or independent reproduction.