Persistent Memory Poisoning in LLM Agents
- Persistent memory poisoning is a threat where attacker-injected content corrupts long-term memory, impacting retrieval and decision-making across sessions.
- Attackers exploit write and retrieval channels—using methods like MemoryGraft and MemPoison—to achieve high success rates, sometimes exceeding 90% in controlled settings.
- Defensive strategies focus on write-time filtering, provenance binding, and retrieval-time checks, though they often face trade-offs between security reinforcement and system utility.
Searching arXiv for papers on persistent memory poisoning in LLM agents and related defenses. I’ll look up the cited arXiv records and adjacent work to ensure the article reflects the recent literature accurately. Persistent memory poisoning denotes the durable corruption of an agent’s long-term state so that attacker-influenced content is written into persistent memory, survives beyond the originating interaction, and later conditions retrieval, reasoning, or action in future sessions. In the recent LLM-agent literature, the term most often refers to runtime poisoning of external or persistent memory stores rather than weight-space modification: poisoned entries can be induced through normal interaction channels, remain dormant, and reappear when later queries are semantically related to the poisoned content (Srivastava et al., 18 Dec 2025, Pulipaka et al., 14 May 2026). A distinct earlier usage in continual learning described training-time data poisoning that degrades performance on previously learned tasks and persists across later tasks, but that line of work targets parameter consolidation rather than agent memory stores (Han et al., 2022).
1. Conceptual scope and security boundary
Persistent memory poisoning is defined against systems in which memory is stateful, retrievable, and reused. In memory-augmented agents, a write mechanism stores experience or state during one interaction, and a retrieval mechanism later injects selected memories back into the model’s context. A compact formulation used for sleeper memory poisoning is
where updates memory from an input , retrieves memories for a future input , and generates the downstream response or action (Pulipaka et al., 14 May 2026). The security boundary lies between untrusted external inputs and the agent’s internally trusted memory substrate: once malicious content crosses that boundary and is persisted, later sessions may treat it as prior knowledge or validated experience.
The literature distinguishes this threat from prompt injection, which is transient and current-context bound; from static-corpus or offline RAG poisoning, which targets a fixed external corpus; and from fine-tuning or data poisoning, which alters model parameters rather than persistent state (Wang et al., 28 May 2026, Sharma, 10 Jun 2026). Several works also distinguish between poisoning factual memory, poisoning procedural memory, and poisoning broader persistent state artifacts such as identity, tool defaults, and autonomy settings (Srivastava et al., 18 Dec 2025, Xu et al., 7 May 2026).
A further broadening appears in personalized agents, where the poisoned object is not only a memory bank but an entire persistent state . In that formulation, a personalized agent is defined as with state evolution
so routine interactions can gradually shift long-term defaults even without an explicit attacker (Xu et al., 7 May 2026). This suggests that “persistent memory poisoning” has become an umbrella term covering both direct corruption of stored memories and longer-horizon corruption of persistent behavioral state.
2. Memory architectures and persistence mechanisms
The attack surface depends on how memory is represented, written, and retrieved. A canonical retrieval-augmented agent model couples a reasoning core to a persistent memory store and retrieves past experiences through lexical and embedding similarity:
0
with successful new traces written back as
1
This architecture is explicit in the formalization of MemoryGraft, where union retrieval over BM25 and FAISS and success-based writeback jointly create a durable attack channel (Srivastava et al., 18 Dec 2025).
Not all systems store the same object. ULSP studies persistent state artifacts such as MEMORY.md, AGENTS.md, TOOLS.md, IDENTITY.md, SOUL.md, and USER.md, emphasizing that poisoning may target policy-bearing files rather than only retrieved episodic memories (Xu et al., 7 May 2026). MPBench generalizes further by modeling agent memory as 2, where 3 is the persistent store, 4 is the write function, and 5 is the retrieval function, then analyzes how explicit writes, inferred writes, compaction, and procedural synthesis each create distinct write channels (Dash et al., 3 Jun 2026).
Graph-based systems introduce additional structure. ShadowMerge models graph memory as 6, where a fact is an edge 7 linking an anchor entity 8 to a value 9 through a typed relation 0. Persistence in such systems depends not only on writing text but on surviving entity extraction, relation canonicalization, merge into the anchor neighborhood, and later neighborhood-centric retrieval (Luo et al., 9 May 2026). Multimodal web agents extend the same principle to graph-structured memories whose nodes contain text-image evidence and whose retrieval is conditioned on screenshots rather than text queries (Zhang et al., 9 Jun 2026).
The multi-agent literature adds localization as a security dimension. Memory may be agent-local, externally hosted, or shared across agents; poisoning becomes especially consequential when semantic memory is served by third-party retrieval infrastructure or shared knowledge bases, because persistent contamination then affects multiple downstream consumers (Torra et al., 20 Mar 2026). This suggests that persistence is not merely temporal. It is also architectural: shared indices, common retrieval services, and cross-session stores amplify the blast radius of a single successful write.
3. Attack families and operational patterns
A systematic taxonomy identifies four memory write channels—explicit instruction-executed write, system prompt-driven write, compaction-driven write, and experience-to-procedure write—and six attack classes: Explicit Command Insertion, Conditional Command Insertion, Salience-Driven Compaction Poisoning, Policy-Conformant Fact Injection, False Precedent Insertion, and Skill-Procedure Insertion (Dash et al., 3 Jun 2026). These channels explain how poisoning can occur even when the attacker never directly edits the memory store.
Several representative attack patterns recur across the literature. MemoryGraft is trigger-free and indirect: benign-looking ingestion artifacts such as documentation or repository notes cause an agent to construct and persist malicious “successful experiences,” which are later surfaced by union retrieval and imitated through a “semantic imitation heuristic” (Srivastava et al., 18 Dec 2025). MemPoison instead implants a trigger–payload pair through dialogue and is optimized to survive selective extraction and rewriting by using a semantic relational bridge, entity masquerading, and joint embedding optimization (Wang et al., 28 May 2026). Sleeper memory poisoning manipulates external documents, webpages, or repositories so that a fabricated user memory is stored now and re-emerges later across future conversations (Pulipaka et al., 14 May 2026).
Other attacks specialize the same basic phenomenon to particular substrates. MemMorph biases future tool selection by injecting a small number of crafted records disguised as technical facts, incident reports, and operational policies, thereby raising the probability that the agent autonomously prefers an attacker-chosen tool in later tasks (Zhang et al., 24 May 2026). Trojan Hippo weaponizes memory for data exfiltration after a single untrusted tool read, with the payload remaining dormant across benign sessions until the user later discusses finance, health, legal, tax, or identity topics (Das et al., 3 May 2026). ShadowMerge exploits relation-channel conflicts in graph memory by ensuring that a poisoned edge shares the same anchor and canonicalized relation channel as benign evidence while carrying a conflicting value (Luo et al., 9 May 2026). MemVenom poisons graph-structured multimodal memory with coordinated text-image evidence in web agents, using trigger-conditioned retrieval and post-retrieval induction to steer future browser actions (Zhang et al., 9 Jun 2026).
The main variants can be summarized as follows:
| Family | Representative paper | Core mechanism |
|---|---|---|
| Trigger-free experience poisoning | MemoryGraft (Srivastava et al., 18 Dec 2025) | Persist poisoned “successful experiences” and exploit imitation |
| Routine state poisoning | ULSP (Xu et al., 7 May 2026) | Routine chats reshape persistent defaults and writeback diffs |
| Triggerable conversational backdoor | MemPoison (Wang et al., 28 May 2026) | Store a trigger–payload pair that survives extraction and rewriting |
| Sleeper fabricated memory | Hidden in Memory (Pulipaka et al., 14 May 2026) | External content causes false user memory, later retrieved |
| Graph relation conflict | ShadowMerge (Luo et al., 9 May 2026) | Poisoned edge shares anchor/channel with benign evidence |
| Multimodal web-memory poisoning | MemVenom (Zhang et al., 9 Jun 2026) | Visual trigger retrieval plus post-retrieval induction |
Environment-only poisoning shows that direct memory access is not necessary. eTAMP contaminates raw trajectory memory through a single manipulated observation on one site, which is later retrieved and activated during a different task on another site; Frustration Exploitation further increases susceptibility when the environment induces dropped clicks, garbled text, or other failures (Zou et al., 3 Apr 2026). This suggests that persistent poisoning is not limited to explicit memory APIs. Any mechanism that records trajectories, summaries, or state updates from untrusted environments can become a write channel.
4. Empirical findings and evaluation regimes
The empirical literature measures persistent poisoning at several stages: whether poisoned content is written, whether it is later retrieved, and whether retrieved poison changes behavior or tool use. MemoryGraft evaluates retrieval drift with Poisoned Retrieval Proportion,
1
and reports 2, 3, and 4 across 12 benign evaluation queries. In that setup, only 10 poisoned seeds among 110 total memory items produced nearly half of all retrieved experiences (Srivastava et al., 18 Dec 2025). MPBench, which evaluates poisoning across OpenClaw and HERMES, reports average ASR 5 and RSR 6 overall; HERMES, with more aggressive writing and retrieval, reaches average ASR 7 and RSR 8, versus OpenClaw’s ASR 9 and RSR 0 (Dash et al., 3 Jun 2026).
Triggerable backdoor-style attacks often attain high injection and retrieval success under selective memory pipelines. MemPoison reaches attack success rates up to 1, with under Mem0: Personal ISR 2, RSR@1 3, ASR 4, ACC 5; Medical ISR 6, RSR@1 7, ASR 8, ACC 9; and Financial ISR 0, RSR@1 1, ASR 2, ACC 3 (Wang et al., 28 May 2026). The same study reports that with 1–7k benign records and only 1 poison, RSR@1 remains above 4 while ACC stays around 5 (Wang et al., 28 May 2026). Hidden in Memory reports that poisoned memories were added up to 6 on GPT-5.5 and 7 on Kimi-K2.6, and that among successful retrievals, poisoned memories caused attacker-intended agentic actions in 8–9 of evaluations across models (Pulipaka et al., 14 May 2026).
Graph and multimodal settings show comparable or greater vulnerability. ShadowMerge achieves 0 average attack success rate, improving the best baseline by 1 absolute points, while keeping benign-task utility at 2 (Luo et al., 9 May 2026). MemVenom reports end-to-end attack success up to 3 on GPT-5-family web agents and, for ReAct-WebAgent + GPT-5.4 in phishing/redirection, ASR-r 4, ASR-a 5, and ASR-ra 6 (Zhang et al., 9 Jun 2026). eTAMP, under a weaker observation-only threat model, still reaches up to 7 ASR on GPT-5-mini, 8 on GPT-5.2, and 9 on GPT-OSS-120B, with Frustration Exploitation increasing ASR up to 8 times when agents encounter environmental stress (Zou et al., 3 Apr 2026).
Tool and exfiltration attacks confirm the durability of the phenomenon. Trojan Hippo reports up to 0–1 percent ASR across explicit memory, agentic memory, RAG, and sliding-window backends, with planted memories activating even after 100 benign sessions (Das et al., 3 May 2026). MemMorph achieves up to 2 ASR with only three injected records and maintains 3 ASR even after the benign store grows from 300 to 2000 items (Zhang et al., 24 May 2026). These results collectively indicate that persistence is not an incidental side effect. It is often the primary reason the attack remains effective after the original malicious input has disappeared.
5. Detection and defense
Defenses cluster around four intervention points: write-time admission, provenance binding, retrieval-time filtering or smoothing, and post hoc forensic detection. Prompt-only filtering is repeatedly shown to be insufficient. MPBench evaluates prompt injection defenses such as PIGuard, DataFilter, CommandSans, and PromptArmor and finds that even after retraining, weak-signal memory-poisoning attacks remain poorly covered; the broader conclusion is that existing prompt injection defenses fail to cover memory poisoning attacks (Dash et al., 3 Jun 2026).
Write-time defenses attempt to stop persistent contamination before it enters memory. StateGuard audits diffs at the writeback boundary in personalized agents and rolls back dangerous edits to persistent files; its Targeted-Ensemble configuration reduces Harm Score to near zero across all evaluated models, including 4 on GPT-5.4 and 5 on Grok (Xu et al., 7 May 2026). MEMSAD formalizes write-time anomaly detection for retrieval-augmented memory as a Stackelberg game, proves a gradient-coupling theorem linking anomaly score gradients to retrieval objective gradients, and reports that composite defenses achieve TPR 6 and FPR 7 across all attacks in its 8 attack–defense matrix, while also identifying a discrete synonym-invariance loophole outside the continuous-space guarantee (Gowda, 5 May 2026).
Provenance-bound defenses seek stronger guarantees than semantic filtering. MemoryGraft proposes Cryptographic Provenance Attestation, in which validated successes are signed and retrieval excludes unverifiable memories (Srivastava et al., 18 Dec 2025). SMSR combines HMAC-SHA256 write-time provenance with randomized memory ablation and verdict-based majority voting, reducing attack success from 9–0 to 1 for all unsigned variants, holding authenticated single-injection success to 2 with 95% CI 3, and lowering a live query-only attack from 4 to 5 (Sharma, 10 Jun 2026). TMA-NM goes further by arguing that both content-based and lineage-based authority are malleable under laundering; it instead binds authority to authenticated origin at write time, allows elevation only through independent corroboration or fresh user authorization, and reports 6 attack success on both direct and laundering attacks across all models and channels at full legitimate utility (Louck, 23 Jun 2026).
Retrieval-time and runtime detectors complement prevention. For delayed-trigger exfiltration, a simple invariant that successful attacks call memory_recall_fact before email_send_email yields AUC 7, while a Random Forest over 19 trajectory features reaches AUC 8 with BCa 95% CI 9 (Leong, 29 Jun 2026). Local-first systems emphasize isolation and provenance rather than semantic inspection: SuperLocalMemory combines per-agent provenance, Bayesian trust scoring, and enforcement below a default trust threshold of 0, reporting a trust separation gap of 1 and 2 trust degradation for sleeper attacks (Bhardwaj, 17 Feb 2026). In the multi-agent security literature, cryptographic provenance, secure communication, append-only logging, and local inference based on private knowledge retrieval are proposed as secure-by-design mitigations for semantic memory poisoning (Torra et al., 20 Mar 2026).
6. Limits, controversies, and research trajectory
Three recurring controversies shape the field. The first is the boundary between poisoning and ordinary adaptation. ULSP shows that routine, benign-seeming chats can substantially poison long-term state without an explicit attacker, while memory-poisoning benchmarks often assume adversarial intent (Xu et al., 7 May 2026). A plausible implication is that future work will need finer distinctions between malicious writes, benign but risky personalization drift, and ordinary preference learning.
The second is the security–utility tradeoff. Trojan Hippo shows that defenses such as no-untrusted-write, user-prompt-only indexing, and information-flow control can reduce ASR to 3–4, but utility costs differ sharply across capability profiles, with IFC driving harmonic-mean utility close to zero on flows that require sending after reading untrusted content (Das et al., 3 May 2026). SMSR similarly reports clean-query utility of 5 for provenance alone and 6 for the combined defense (Sharma, 10 Jun 2026). This suggests that strong guarantees currently come most naturally from restrictive write and act policies, not from frictionless filtering.
The third is model and architecture dependence. eTAMP reports that more capable models are not more secure, with GPT-5.2 showing substantial vulnerability despite superior task performance (Zou et al., 3 Apr 2026). Hidden in Memory shows that provider harness and memory-writing regime materially affect injection rates, and MPBench shows that agents designed to write and retrieve memory more aggressively are more exploitable (Pulipaka et al., 14 May 2026, Dash et al., 3 Jun 2026). At the same time, TMA-NM argues that content- and lineage-based signals are structurally malleable under laundering and therefore cannot be made sound without write-time origin binding (Louck, 23 Jun 2026). A plausible implication is that memory security will increasingly be treated as a systems problem—provenance, storage policy, retrieval policy, and action gating—rather than as a prompt-hardening problem alone.
Open problems remain broad. Multi-agent propagation is repeatedly identified as under-studied (Xu et al., 7 May 2026, Torra et al., 20 Mar 2026). Graph-based and multimodal memories require relation-aware and OCR-aware defenses rather than text-only filters (Luo et al., 9 May 2026, Zhang et al., 9 Jun 2026). MEMSAD’s synonym loophole and SMSR’s bounded-adversary certificate both mark limits of current formal defenses (Gowda, 5 May 2026, Sharma, 10 Jun 2026). Across the literature, a common design conclusion emerges: once experience, personalization, and retrieval become a learning substrate, persistent memory itself becomes a first-class attack surface whose security properties must be specified, enforced, and audited as rigorously as model weights, prompts, and tool interfaces.