Papers
Topics
Authors
Recent
Search
2000 character limit reached

Persistent Memory Attacks

Updated 5 July 2026
  • Persistent memory attacks are exploits targeting long-term stored state in LLM agents and non-volatile memory, enabling adversaries to manipulate planning and trigger data exfiltration.
  • They leverage multiple write channels and vulnerabilities such as instruction–data boundary blindness and weak signal attacks, bypassing standard prompt-injection defenses.
  • Empirical studies reveal high attack success rates and notable performance trade-offs in mitigation strategies, underscoring the urgent need for robust memory governance and advanced safeguards.

Persistent memory attacks are attacks that exploit state that survives beyond the interaction or execution in which it was created. In current research, the term spans two major settings. In memory-augmented LLM agents, adversarial content is written into long-term memory and later retrieved across tasks and sessions, so that a single poisoned write can steer future planning, tool use, or data exfiltration long after the original prompt has disappeared (Xu et al., 16 Mar 2026). In computer architecture, persistent memory attacks target non-volatile main memory and its security metadata, where data remanence across power loss, reboot, and sleep enlarges the attack surface from transient runtime compromise to durable post-crash or post-reboot exploitation (Yao et al., 2019, Awad et al., 2018). Across both settings, persistence turns storage into an active security boundary rather than a passive repository.

1. Conceptual scope and system models

In memory-augmented agents, persistent memory is a long-term state MM coupled to a retrieval function and an update function. The operational loop is “Read[M] \rightarrow Plan[control flow] \rightarrow Execute[tools] \rightarrow Write[M],” and “control flow” denotes which tools are chosen, in what order, and with what arguments (Xu et al., 16 Mar 2026). This formulation matters because the memory is not merely descriptive context; it directly conditions planning and tool selection.

A broader systematic treatment models an agent memory system as M=(S,W,R)\mathcal{M} = (S, W, R), where SS is the persistent store, WW maps interaction context into writes, and RR maps future queries into retrieved entries. Within SS, the literature distinguishes factual memory, experience memory, and procedural memory, and identifies four write channels: explicit instruction-executed write, system-prompt-driven write, compaction-driven write, and experience-to-procedure write (Dash et al., 3 Jun 2026). This suggests that persistent memory attacks are not tied to a single storage abstraction; they arise whenever untrusted context can cross the boundary from transient input into durable agent state.

In non-volatile memory systems, the same persistence principle appears at the hardware level. NVM retains data across power loss, so both application data and security metadata such as encryption counters and Merkle Tree data must be securely persisted and recovered across system reboots and during recovery from crashes (Awad et al., 2018). Earlier architectural work frames the core threat as data remanence in PCM, MRAM, and related technologies: unlike DRAM, memory contents do not disappear when the machine powers down or enters sleep, enabling offline probing, post-reboot mining of residual state, and tampering while the runtime system is suspended (Yao et al., 2019).

2. Attack surfaces and taxonomies in LLM agents

A systematic memory-poisoning taxonomy identifies four write channels and nine structural vulnerabilities spanning model capability, prompt design, and system architecture. The key model-side weaknesses are instruction–data boundary blindness and source attribution failure in multi-source contexts. At the prompt layer, memory write policy under-specification and compaction without source filtering allow vague “save relevant information” objectives to absorb adversarial content. At the architectural layer, no write-path validation, shared multi-source context, manipulable compaction triggers, no validation for skill creation, and self-improvement as amplification make those channels exploitable (Dash et al., 3 Jun 2026).

Within tool-using agents, “Memory Control Flow Attacks” define a two-phase pattern: an adversary injects a policy into long-term memory, and for some later benign task the resulting tool-call trace follows the attacker’s policy while violating the system’s safe control-flow policy. The paper organizes these attacks into OVERRIDE, where memory hijacks tool choice toward prohibited or risky tools; ORDER, where required dependencies are violated and safety-critical steps are skipped; M-SCOPE, where the poisoned logic generalizes across heterogeneous tasks; PERSISTENCE, where violations continue after many benign tasks; and RELAPSE, where textual repair fails and the agent snaps back to the poisoned policy (Xu et al., 16 Mar 2026).

A related delayed form is “sleeper memory poisoning.” Here the attacker manipulates external context such as a document, webpage, email, or repository so that the assistant stores a fabricated memory about the user. The poisoned memory then remains dormant until a later, separate conversation retrieves it and uses it to influence behavior (Pulipaka et al., 14 May 2026). “Trojan Hippo” specializes this pattern to data exfiltration: a crafted email plants a dormant payload into long-term memory, the payload activates only when the user later discusses finance, health, legal matters, tax, or identity, and the agent sends the user’s sensitive message to an attacker-controlled email address (Das et al., 3 May 2026). In web agents, eTAMP extends the same logic to trajectory memory: a single contaminated observation on one site is stored in memory and later retrieved on a different site, creating cross-session, cross-site compromise without direct memory access (Zou et al., 3 Apr 2026).

3. Empirical behavior and measured impact in agentic systems

The strongest empirical result on tool-control deviation is that memory retrieval can dominate planning. MEMFLOW evaluates GPT-5 mini, Claude Sonnet 4.5, Gemini 2.5 Flash, and Qwen 3.5 on LangChain and LlamaIndex agents and reports Override ASR of 97.2–100%, M-Scope ASR of 97.2–100%, Persistence ASR of 100%, and Resistance ASR of 100% in the Online regime whenever retrieval is enabled. With retrieval OFF, all ASRs drop to 0% despite injection success rate =100%= 100\%, supporting the claim that the deviations are strictly memory-driven; overall, “over 90%” of trials are vulnerable when memory retrieval is enabled, even under strict safety constraints (Xu et al., 16 Mar 2026).

Similarity-based long-term memory systems show the same persistence in answer generation. ER-MIA studies black-box adversarial memory injection on Mem0 and A-mem and reports that, on Mem0 with Llama 3.2, Harsh Instruction causes an overall F1 drop of approximately \rightarrow0, General Negation approximately \rightarrow1, and strongest ensembles reduce overall F1 from 23.60 to 2–3. As retrieval \rightarrow2 increases, clean recall can improve, but adversarial retrieval frequency approaches nearly 100% for \rightarrow3, so overall F1 decreases under attack (Piehl et al., 17 Feb 2026).

Selective memory pipelines do not remove the attack surface. MemPoison targets extraction, rewriting, and retrieval jointly and reports attack success rates up to 0.95 across Personal, Medical, and Financial agents while keeping benign accuracy high in many settings; its mechanistic analysis attributes success to semantic relational bridging, entity masquerading, and a concentrated, isolated trigger cluster in embedding space (Wang et al., 28 May 2026). Sleeper memory poisoning measures the full pipeline of write, retrieve, and use: poisoned memories were added up to 99.8% on GPT-5.5 and 95% on Kimi-K2.6, and among successful retrievals caused attacker-intended agentic actions in 60–89% of evaluations across models (Pulipaka et al., 14 May 2026).

The delayed-exfiltration setting yields similarly persistent results. Trojan Hippo, instantiated on an email assistant across explicit tool memory, agentic memory, RAG, and sliding-window context, achieves up to 85–100 percent ASR against frontier OpenAI and Google models, with planted memories successfully activating even after 100 benign sessions (Das et al., 3 May 2026). In web agents, eTAMP reaches up to 32.5% ASR on GPT-5-mini, 23.4% on GPT-5.2, and 19.5% on GPT-OSS-120B, and introduces “Frustration Exploitation,” where ASR increases up to 8 times when the environment induces dropped clicks or garbled text (Zou et al., 3 Apr 2026). A broader benchmark view comes from MPBench: across two agents and six attack classes, the average ASR is 50.46% and the average RSR is 41.05%, with HERMES at 66.67% ASR and 64.70% RSR versus OpenClaw at 34.25% and 17.40%, indicating that agents designed to write and retrieve memory more aggressively are more exploitable (Dash et al., 3 Jun 2026).

4. Defenses in agent memory architectures and their limits

The most consistent defense lesson is that prompt-injection defenses do not transfer cleanly to memory poisoning. In MPBench, off-the-shelf PIGuard reaches 38.33% TPR with 0.33% FPR, DataFilter 23.00% TPR with 53.33% FPR, CommandSans 52.33% TPR with 45.00% FPR, and PromptArmor 67.67% TPR with 1.00% FPR. Weak-signal attacks such as policy-conformant fact injection, false precedent insertion, and skill-procedure insertion remain especially hard to detect: PromptArmor drops from 84.44% detection on strong-signal cases to 42.50% on weak-signal cases, and retraining improves some rates only modestly (Dash et al., 3 Jun 2026).

Memory-aware mitigations are more promising but still incomplete. Role-Based Memory Segregation (RBMS) separates immutable system rules from attacker-influenceable user memory and adds a hierarchy patch stating that system rules override preferences. This reduces Override ASR substantially—for example, in LangChain the D2 configuration yields 8.3%, 2.8%, and 63.9% depending on model—but does not eliminate attacks, showing that strongly phrased preferences are still sometimes treated as de facto rules (Xu et al., 16 Mar 2026).

A direct architectural evaluation across layers shows why several defenses fail. Input-level filtering with Minimizer or Sanitizer and retrieval-level filtering with RAG Sanitizer or RAG LLM Judge all remain at approximately baseline attack success, 88–89% ASR, statistically indistinguishable from the undefended baseline of 88.6%. Prompt Hardening partially fails at 77.8% ASR. Tool-gating at the memory layer, “Memory Sandbox,” reduces ASR to 0% for eight of nine open-source models by removing the recall capability the attack requires, with BTCR = 100% across all no-attack conditions; the exception is a reasoning model whose ASR inverts from 0% under no defense to 100% under Memory Sandbox because removing explicit recall forces it onto the RAG pathway where its refusal mechanism does not activate (Leong, 8 May 2026).

Trojan Hippo studies a different but related defense frontier. “User-prompt-only” and “no-untrusted-write” can reduce ASR to as low as 0–5 percent, and an Information-Flow Control policy can reduce ASR to 0% with a formal non-interference argument. However, those gains come with substantial security–utility tradeoffs, especially for workflows that combine untrusted reads with later memory writes or outbound email actions (Das et al., 3 May 2026). MemPoison reaches a similar conclusion from another angle: perplexity-based filtering with \rightarrow4 still leaves ASR at 0.40 with ACC 0.71, and paraphrasing defenses leave ASR between 0.77 and 0.89 across several paraphrasing LLMs, because entity-like triggers survive rewriting and the embedding-space backdoor remains intact (Wang et al., 28 May 2026).

5. Persistence-based attacks in non-volatile main memory

In computer architecture, persistent memory attacks originally referred to attacks on state that remains physically present after power-down. One line of work distinguishes three threat classes for NVM: offline attacks, where an attacker probes memory after the system is powered down; online post-reboot attacks, where a malicious application launched after reboot reads residual memory contents from previous runs; and attacks in low-power or sleep states, where a physically present adversary can read or modify memory contents while the runtime system is suspended. The central concern is “the attacker having physical access to the main memory subsystem and his ability to exploit the persistence property of NVM to read remanent sensitive data and/or manipulate memory contents that may lead to erroneous, harmful program behavior” (Yao et al., 2019).

Integrity-protected NVM enlarges the attack surface further because data persistence and metadata persistence must match. Triad-NVM defines “Persistent-Security” as the requirement that a secure system recover encryption counters and Merkle Tree metadata after crashes while ensuring that one-time pads are never repeated. Without such persistence, attackers can exploit stale counters and inconsistent Merkle-tree state to mount known-plaintext attacks, replay or roll back security metadata, or render large regions unverifiable after recovery (Awad et al., 2018).

Persistent memory also exposes leakage channels that do not depend on reading plaintext. “Connecting the Dots” shows that, by using a compromised DMA device to take frequent snapshots and running differential analysis on the snapshots, an attacker can infer the complete 512-bit secret exponent in approximately 3.5 minutes from write-access patterns alone (John et al., 2017). Separately, IMPACT demonstrates 8.2 Mb/s and 14.8 Mb/s main-memory covert channels and a side-channel attack by exploiting shared DRAM row buffers in processing-in-memory architectures. A plausible implication is that persistent or near-memory systems exposing shared row or page buffers can inherit analogous covert- and side-channel risks when they make internal buffer state directly observable through near-memory operations (Bostanci et al., 2024).

6. Protection mechanisms, formal guarantees, and open problems

The dominant hardware mitigation for data remanence is to ensure that data at rest in NVM is encrypted before it reaches non-volatile cells. One design encrypts all data at the memory controller, decrypts on reads, uses a fresh random key per session, stores keys in special hardware registers accessible only in privileged mode, clears those registers on sleep or reboot, and avoids any additional writes beyond those originally issued by applications. It further evaluates single encryption versus differentiated encryption and a hybrid DRAM-buffer-cache plus PCM main memory. In the reported Gem5/SPEC 2006 evaluation, worst-case performance overhead in pure PCM is about 8.1% with RSA on mcf, while differentiated encryption keeps the worst case around 5%, and hybrid PCM–DRAM with differentiated encryption keeps the worst case around 5.9% performance and 2.8% power (Yao et al., 2019).

Triad-NVM extends confidentiality-only designs into crash-consistent integrity protection by persisting both encryption counters and selected bottom levels of the Merkle tree, splitting persistent and non-persistent regions, and rotating keys so that counter reuse in non-persistent regions cannot reuse the same one-time pad under the same key. Relative to strict persistence, Triad-NVM improves throughput by an average of approximately \rightarrow5, maintains recovery time of less than 4 seconds for an 8TB NVM system and 30.6 seconds for 64TB, and is approximately 3648x faster than a system without security metadata persistence (Awad et al., 2018).

At the formal methods level, information-flow security on persistent memory treats crash states as reorderings of writes. The key notion is reordering interference freedom, \rightarrow6, which checks whether pairwise instruction reorderings permitted by the architecture introduce new low-observable behaviors. Applied to persistent memory, this exposes crash-based leakage when data and metadata writes reach persistence out of order. The seqlock example shows that a design secure under sequential and x86 TSO semantics can become insecure under persistent-memory reorderings, because a crash can leave c even while x2 has not yet persisted and x1 contains high data; adding clflush around the commit sequence restores the required invariant (Smith, 24 Jun 2026).

A plausible unifying view is that persistent memory attacks arise whenever durable state is later re-entered into execution without sufficiently strong provenance, integrity, or trust separation. In LLM agents, that state is user memory, experience memory, or procedural memory; in NVM systems, it is application data plus security metadata. The open problems are correspondingly parallel: robust memory governance and auditing for agentic systems, and efficient integrity-plus-confidentiality schemes for large-capacity persistent memory without excessive write amplification or recovery latency (Dash et al., 3 Jun 2026, Awad et al., 2018).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Persistent Memory Attacks.