Title: From Untrusted Input to Trusted Memory: A Systematic Study of Memory Poisoning Attacks in LLM Agents

Abstract:

Memory serves as a foundational element for AI agents, allowing them to build knowledge bases over time and enhance their operational performance through repeated interactions. Nevertheless, the persistence of this memory creates a vulnerability to memory poisoning, a threat where a single malicious memory update can permanently alter an agent’s future behavior. This paper offers a comprehensive analysis of memory poisoning within Large Language Model (LLM) agents. We pinpoint four distinct channels for memory writes and nine structural weaknesses—ranging from model capabilities and system prompt configurations to overall agent architecture—that render these channels susceptible to exploitation. Leveraging these identified vulnerabilities, we establish a taxonomy comprising six categories of memory poisoning attacks. Additionally, we introduce MPBench, a specialized benchmark designed to assess the efficacy of memory poisoning attacks, demonstrating that agents configured for aggressive memory writing and retrieval are particularly prone to exploitation. Our results also indicate that current prompt injection defenses are insufficient against memory poisoning threats. These insights lay the groundwork for better comprehension and mitigation of memory poisoning risks facing AI agents.

Source: arXiv Generated at: 2026-06-04 00:00:00 UTC