Papers
Topics
Authors
Recent
Search
2000 character limit reached

Persistent Memory Poisoning in LLM Agents

Updated 4 July 2026
  • Persistent memory poisoning is a threat where attacker-injected content corrupts long-term memory, impacting retrieval and decision-making across sessions.
  • Attackers exploit write and retrieval channels—using methods like MemoryGraft and MemPoison—to achieve high success rates, sometimes exceeding 90% in controlled settings.
  • Defensive strategies focus on write-time filtering, provenance binding, and retrieval-time checks, though they often face trade-offs between security reinforcement and system utility.

Searching arXiv for papers on persistent memory poisoning in LLM agents and related defenses. I’ll look up the cited arXiv records and adjacent work to ensure the article reflects the recent literature accurately. Persistent memory poisoning denotes the durable corruption of an agent’s long-term state so that attacker-influenced content is written into persistent memory, survives beyond the originating interaction, and later conditions retrieval, reasoning, or action in future sessions. In the recent LLM-agent literature, the term most often refers to runtime poisoning of external or persistent memory stores rather than weight-space modification: poisoned entries can be induced through normal interaction channels, remain dormant, and reappear when later queries are semantically related to the poisoned content (Srivastava et al., 18 Dec 2025, Pulipaka et al., 14 May 2026). A distinct earlier usage in continual learning described training-time data poisoning that degrades performance on previously learned tasks and persists across later tasks, but that line of work targets parameter consolidation rather than agent memory stores (Han et al., 2022).

1. Conceptual scope and security boundary

Persistent memory poisoning is defined against systems in which memory is stateful, retrievable, and reused. In memory-augmented agents, a write mechanism stores experience or state during one interaction, and a retrieval mechanism later injects selected memories back into the model’s context. A compact formulation used for sleeper memory poisoning is

M=MW(U,M),y=G(U,R(U,M)),M' = M \cup W(U, M), \qquad y = G(U', R(U', M')),

where WW updates memory from an input UU, RR retrieves memories for a future input UU', and GG generates the downstream response or action (Pulipaka et al., 14 May 2026). The security boundary lies between untrusted external inputs and the agent’s internally trusted memory substrate: once malicious content crosses that boundary and is persisted, later sessions may treat it as prior knowledge or validated experience.

The literature distinguishes this threat from prompt injection, which is transient and current-context bound; from static-corpus or offline RAG poisoning, which targets a fixed external corpus; and from fine-tuning or data poisoning, which alters model parameters rather than persistent state (Wang et al., 28 May 2026, Sharma, 10 Jun 2026). Several works also distinguish between poisoning factual memory, poisoning procedural memory, and poisoning broader persistent state artifacts such as identity, tool defaults, and autonomy settings (Srivastava et al., 18 Dec 2025, Xu et al., 7 May 2026).

A further broadening appears in personalized agents, where the poisoned object is not only a memory bank but an entire persistent state SS. In that formulation, a personalized agent is defined as A=(L,T,S)\mathcal{A}=(\mathcal{L},\mathcal{T},S) with state evolution

St+1=Φ(St,ot,at),S_{t+1} = \Phi(S_t, o_t, a_t),

so routine interactions can gradually shift long-term defaults even without an explicit attacker (Xu et al., 7 May 2026). This suggests that “persistent memory poisoning” has become an umbrella term covering both direct corruption of stored memories and longer-horizon corruption of persistent behavioral state.

2. Memory architectures and persistence mechanisms

The attack surface depends on how memory is represented, written, and retrieved. A canonical retrieval-augmented agent model couples a reasoning core to a persistent memory store MM and retrieves past experiences through lexical and embedding similarity:

WW0

with successful new traces written back as

WW1

This architecture is explicit in the formalization of MemoryGraft, where union retrieval over BM25 and FAISS and success-based writeback jointly create a durable attack channel (Srivastava et al., 18 Dec 2025).

Not all systems store the same object. ULSP studies persistent state artifacts such as MEMORY.md, AGENTS.md, TOOLS.md, IDENTITY.md, SOUL.md, and USER.md, emphasizing that poisoning may target policy-bearing files rather than only retrieved episodic memories (Xu et al., 7 May 2026). MPBench generalizes further by modeling agent memory as WW2, where WW3 is the persistent store, WW4 is the write function, and WW5 is the retrieval function, then analyzes how explicit writes, inferred writes, compaction, and procedural synthesis each create distinct write channels (Dash et al., 3 Jun 2026).

Graph-based systems introduce additional structure. ShadowMerge models graph memory as WW6, where a fact is an edge WW7 linking an anchor entity WW8 to a value WW9 through a typed relation UU0. Persistence in such systems depends not only on writing text but on surviving entity extraction, relation canonicalization, merge into the anchor neighborhood, and later neighborhood-centric retrieval (Luo et al., 9 May 2026). Multimodal web agents extend the same principle to graph-structured memories whose nodes contain text-image evidence and whose retrieval is conditioned on screenshots rather than text queries (Zhang et al., 9 Jun 2026).

The multi-agent literature adds localization as a security dimension. Memory may be agent-local, externally hosted, or shared across agents; poisoning becomes especially consequential when semantic memory is served by third-party retrieval infrastructure or shared knowledge bases, because persistent contamination then affects multiple downstream consumers (Torra et al., 20 Mar 2026). This suggests that persistence is not merely temporal. It is also architectural: shared indices, common retrieval services, and cross-session stores amplify the blast radius of a single successful write.

3. Attack families and operational patterns

A systematic taxonomy identifies four memory write channels—explicit instruction-executed write, system prompt-driven write, compaction-driven write, and experience-to-procedure write—and six attack classes: Explicit Command Insertion, Conditional Command Insertion, Salience-Driven Compaction Poisoning, Policy-Conformant Fact Injection, False Precedent Insertion, and Skill-Procedure Insertion (Dash et al., 3 Jun 2026). These channels explain how poisoning can occur even when the attacker never directly edits the memory store.

Several representative attack patterns recur across the literature. MemoryGraft is trigger-free and indirect: benign-looking ingestion artifacts such as documentation or repository notes cause an agent to construct and persist malicious “successful experiences,” which are later surfaced by union retrieval and imitated through a “semantic imitation heuristic” (Srivastava et al., 18 Dec 2025). MemPoison instead implants a trigger–payload pair through dialogue and is optimized to survive selective extraction and rewriting by using a semantic relational bridge, entity masquerading, and joint embedding optimization (Wang et al., 28 May 2026). Sleeper memory poisoning manipulates external documents, webpages, or repositories so that a fabricated user memory is stored now and re-emerges later across future conversations (Pulipaka et al., 14 May 2026).

Other attacks specialize the same basic phenomenon to particular substrates. MemMorph biases future tool selection by injecting a small number of crafted records disguised as technical facts, incident reports, and operational policies, thereby raising the probability that the agent autonomously prefers an attacker-chosen tool in later tasks (Zhang et al., 24 May 2026). Trojan Hippo weaponizes memory for data exfiltration after a single untrusted tool read, with the payload remaining dormant across benign sessions until the user later discusses finance, health, legal, tax, or identity topics (Das et al., 3 May 2026). ShadowMerge exploits relation-channel conflicts in graph memory by ensuring that a poisoned edge shares the same anchor and canonicalized relation channel as benign evidence while carrying a conflicting value (Luo et al., 9 May 2026). MemVenom poisons graph-structured multimodal memory with coordinated text-image evidence in web agents, using trigger-conditioned retrieval and post-retrieval induction to steer future browser actions (Zhang et al., 9 Jun 2026).

The main variants can be summarized as follows:

Family Representative paper Core mechanism
Trigger-free experience poisoning MemoryGraft (Srivastava et al., 18 Dec 2025) Persist poisoned “successful experiences” and exploit imitation
Routine state poisoning ULSP (Xu et al., 7 May 2026) Routine chats reshape persistent defaults and writeback diffs
Triggerable conversational backdoor MemPoison (Wang et al., 28 May 2026) Store a trigger–payload pair that survives extraction and rewriting
Sleeper fabricated memory Hidden in Memory (Pulipaka et al., 14 May 2026) External content causes false user memory, later retrieved
Graph relation conflict ShadowMerge (Luo et al., 9 May 2026) Poisoned edge shares anchor/channel with benign evidence
Multimodal web-memory poisoning MemVenom (Zhang et al., 9 Jun 2026) Visual trigger retrieval plus post-retrieval induction

Environment-only poisoning shows that direct memory access is not necessary. eTAMP contaminates raw trajectory memory through a single manipulated observation on one site, which is later retrieved and activated during a different task on another site; Frustration Exploitation further increases susceptibility when the environment induces dropped clicks, garbled text, or other failures (Zou et al., 3 Apr 2026). This suggests that persistent poisoning is not limited to explicit memory APIs. Any mechanism that records trajectories, summaries, or state updates from untrusted environments can become a write channel.

4. Empirical findings and evaluation regimes

The empirical literature measures persistent poisoning at several stages: whether poisoned content is written, whether it is later retrieved, and whether retrieved poison changes behavior or tool use. MemoryGraft evaluates retrieval drift with Poisoned Retrieval Proportion,

UU1

and reports UU2, UU3, and UU4 across 12 benign evaluation queries. In that setup, only 10 poisoned seeds among 110 total memory items produced nearly half of all retrieved experiences (Srivastava et al., 18 Dec 2025). MPBench, which evaluates poisoning across OpenClaw and HERMES, reports average ASR UU5 and RSR UU6 overall; HERMES, with more aggressive writing and retrieval, reaches average ASR UU7 and RSR UU8, versus OpenClaw’s ASR UU9 and RSR RR0 (Dash et al., 3 Jun 2026).

Triggerable backdoor-style attacks often attain high injection and retrieval success under selective memory pipelines. MemPoison reaches attack success rates up to RR1, with under Mem0: Personal ISR RR2, RSR@1 RR3, ASR RR4, ACC RR5; Medical ISR RR6, RSR@1 RR7, ASR RR8, ACC RR9; and Financial ISR UU'0, RSR@1 UU'1, ASR UU'2, ACC UU'3 (Wang et al., 28 May 2026). The same study reports that with 1–7k benign records and only 1 poison, RSR@1 remains above UU'4 while ACC stays around UU'5 (Wang et al., 28 May 2026). Hidden in Memory reports that poisoned memories were added up to UU'6 on GPT-5.5 and UU'7 on Kimi-K2.6, and that among successful retrievals, poisoned memories caused attacker-intended agentic actions in UU'8–UU'9 of evaluations across models (Pulipaka et al., 14 May 2026).

Graph and multimodal settings show comparable or greater vulnerability. ShadowMerge achieves GG0 average attack success rate, improving the best baseline by GG1 absolute points, while keeping benign-task utility at GG2 (Luo et al., 9 May 2026). MemVenom reports end-to-end attack success up to GG3 on GPT-5-family web agents and, for ReAct-WebAgent + GPT-5.4 in phishing/redirection, ASR-r GG4, ASR-a GG5, and ASR-ra GG6 (Zhang et al., 9 Jun 2026). eTAMP, under a weaker observation-only threat model, still reaches up to GG7 ASR on GPT-5-mini, GG8 on GPT-5.2, and GG9 on GPT-OSS-120B, with Frustration Exploitation increasing ASR up to 8 times when agents encounter environmental stress (Zou et al., 3 Apr 2026).

Tool and exfiltration attacks confirm the durability of the phenomenon. Trojan Hippo reports up to SS0–SS1 percent ASR across explicit memory, agentic memory, RAG, and sliding-window backends, with planted memories activating even after 100 benign sessions (Das et al., 3 May 2026). MemMorph achieves up to SS2 ASR with only three injected records and maintains SS3 ASR even after the benign store grows from 300 to 2000 items (Zhang et al., 24 May 2026). These results collectively indicate that persistence is not an incidental side effect. It is often the primary reason the attack remains effective after the original malicious input has disappeared.

5. Detection and defense

Defenses cluster around four intervention points: write-time admission, provenance binding, retrieval-time filtering or smoothing, and post hoc forensic detection. Prompt-only filtering is repeatedly shown to be insufficient. MPBench evaluates prompt injection defenses such as PIGuard, DataFilter, CommandSans, and PromptArmor and finds that even after retraining, weak-signal memory-poisoning attacks remain poorly covered; the broader conclusion is that existing prompt injection defenses fail to cover memory poisoning attacks (Dash et al., 3 Jun 2026).

Write-time defenses attempt to stop persistent contamination before it enters memory. StateGuard audits diffs at the writeback boundary in personalized agents and rolls back dangerous edits to persistent files; its Targeted-Ensemble configuration reduces Harm Score to near zero across all evaluated models, including SS4 on GPT-5.4 and SS5 on Grok (Xu et al., 7 May 2026). MEMSAD formalizes write-time anomaly detection for retrieval-augmented memory as a Stackelberg game, proves a gradient-coupling theorem linking anomaly score gradients to retrieval objective gradients, and reports that composite defenses achieve TPR SS6 and FPR SS7 across all attacks in its SS8 attack–defense matrix, while also identifying a discrete synonym-invariance loophole outside the continuous-space guarantee (Gowda, 5 May 2026).

Provenance-bound defenses seek stronger guarantees than semantic filtering. MemoryGraft proposes Cryptographic Provenance Attestation, in which validated successes are signed and retrieval excludes unverifiable memories (Srivastava et al., 18 Dec 2025). SMSR combines HMAC-SHA256 write-time provenance with randomized memory ablation and verdict-based majority voting, reducing attack success from SS9–A=(L,T,S)\mathcal{A}=(\mathcal{L},\mathcal{T},S)0 to A=(L,T,S)\mathcal{A}=(\mathcal{L},\mathcal{T},S)1 for all unsigned variants, holding authenticated single-injection success to A=(L,T,S)\mathcal{A}=(\mathcal{L},\mathcal{T},S)2 with 95% CI A=(L,T,S)\mathcal{A}=(\mathcal{L},\mathcal{T},S)3, and lowering a live query-only attack from A=(L,T,S)\mathcal{A}=(\mathcal{L},\mathcal{T},S)4 to A=(L,T,S)\mathcal{A}=(\mathcal{L},\mathcal{T},S)5 (Sharma, 10 Jun 2026). TMA-NM goes further by arguing that both content-based and lineage-based authority are malleable under laundering; it instead binds authority to authenticated origin at write time, allows elevation only through independent corroboration or fresh user authorization, and reports A=(L,T,S)\mathcal{A}=(\mathcal{L},\mathcal{T},S)6 attack success on both direct and laundering attacks across all models and channels at full legitimate utility (Louck, 23 Jun 2026).

Retrieval-time and runtime detectors complement prevention. For delayed-trigger exfiltration, a simple invariant that successful attacks call memory_recall_fact before email_send_email yields AUC A=(L,T,S)\mathcal{A}=(\mathcal{L},\mathcal{T},S)7, while a Random Forest over 19 trajectory features reaches AUC A=(L,T,S)\mathcal{A}=(\mathcal{L},\mathcal{T},S)8 with BCa 95% CI A=(L,T,S)\mathcal{A}=(\mathcal{L},\mathcal{T},S)9 (Leong, 29 Jun 2026). Local-first systems emphasize isolation and provenance rather than semantic inspection: SuperLocalMemory combines per-agent provenance, Bayesian trust scoring, and enforcement below a default trust threshold of St+1=Φ(St,ot,at),S_{t+1} = \Phi(S_t, o_t, a_t),0, reporting a trust separation gap of St+1=Φ(St,ot,at),S_{t+1} = \Phi(S_t, o_t, a_t),1 and St+1=Φ(St,ot,at),S_{t+1} = \Phi(S_t, o_t, a_t),2 trust degradation for sleeper attacks (Bhardwaj, 17 Feb 2026). In the multi-agent security literature, cryptographic provenance, secure communication, append-only logging, and local inference based on private knowledge retrieval are proposed as secure-by-design mitigations for semantic memory poisoning (Torra et al., 20 Mar 2026).

6. Limits, controversies, and research trajectory

Three recurring controversies shape the field. The first is the boundary between poisoning and ordinary adaptation. ULSP shows that routine, benign-seeming chats can substantially poison long-term state without an explicit attacker, while memory-poisoning benchmarks often assume adversarial intent (Xu et al., 7 May 2026). A plausible implication is that future work will need finer distinctions between malicious writes, benign but risky personalization drift, and ordinary preference learning.

The second is the security–utility tradeoff. Trojan Hippo shows that defenses such as no-untrusted-write, user-prompt-only indexing, and information-flow control can reduce ASR to St+1=Φ(St,ot,at),S_{t+1} = \Phi(S_t, o_t, a_t),3–St+1=Φ(St,ot,at),S_{t+1} = \Phi(S_t, o_t, a_t),4, but utility costs differ sharply across capability profiles, with IFC driving harmonic-mean utility close to zero on flows that require sending after reading untrusted content (Das et al., 3 May 2026). SMSR similarly reports clean-query utility of St+1=Φ(St,ot,at),S_{t+1} = \Phi(S_t, o_t, a_t),5 for provenance alone and St+1=Φ(St,ot,at),S_{t+1} = \Phi(S_t, o_t, a_t),6 for the combined defense (Sharma, 10 Jun 2026). This suggests that strong guarantees currently come most naturally from restrictive write and act policies, not from frictionless filtering.

The third is model and architecture dependence. eTAMP reports that more capable models are not more secure, with GPT-5.2 showing substantial vulnerability despite superior task performance (Zou et al., 3 Apr 2026). Hidden in Memory shows that provider harness and memory-writing regime materially affect injection rates, and MPBench shows that agents designed to write and retrieve memory more aggressively are more exploitable (Pulipaka et al., 14 May 2026, Dash et al., 3 Jun 2026). At the same time, TMA-NM argues that content- and lineage-based signals are structurally malleable under laundering and therefore cannot be made sound without write-time origin binding (Louck, 23 Jun 2026). A plausible implication is that memory security will increasingly be treated as a systems problem—provenance, storage policy, retrieval policy, and action gating—rather than as a prompt-hardening problem alone.

Open problems remain broad. Multi-agent propagation is repeatedly identified as under-studied (Xu et al., 7 May 2026, Torra et al., 20 Mar 2026). Graph-based and multimodal memories require relation-aware and OCR-aware defenses rather than text-only filters (Luo et al., 9 May 2026, Zhang et al., 9 Jun 2026). MEMSAD’s synonym loophole and SMSR’s bounded-adversary certificate both mark limits of current formal defenses (Gowda, 5 May 2026, Sharma, 10 Jun 2026). Across the literature, a common design conclusion emerges: once experience, personalization, and retrieval become a learning substrate, persistent memory itself becomes a first-class attack surface whose security properties must be specified, enforced, and audited as rigorously as model weights, prompts, and tool interfaces.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (17)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Persistent Memory Poisoning.