MemPoison: Uncovering Persistent Memory Threats and Structural Blind Spots in LLM Agents

📅 2026-07-16
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work identifies critical security vulnerabilities in persistent external memory systems of large language model (LLM) agents, wherein adversarial content can be injected through ordinary interactions, persist over time, and subsequently distort agent behavior. To systematically investigate this threat, the authors introduce MemPoison—a comprehensive benchmark and analytical framework encompassing 1,227 hand-verified cases—and evaluate four attack types, three injection channels, and three memory backends across ten prominent LLMs. They propose a novel three-tier attack taxonomy (L1–L3) and a Mechanism Impact Decomposition (MID) method to dissect vulnerability sources. Experiments reveal that current write-time defenses are only effective against L1 attacks, exhibiting structural blind spots against more sophisticated L2 and L3 attacks, thereby advocating a paradigm shift from static filtering toward adaptive, context-aware memory security mechanisms.
📝 Abstract
Persistent external memory enhances agent continuity but introduces persistent security vulnerabilities: adversarial content can be injected via standard interaction channels, retained across turns, and later distort downstream behavior. To address this challenge, we propose MemPoison, a comprehensive benchmark and analysis framework featuring 1227 hand-validated cases across four attack types, three injection channels, and three representative memory substrates, evaluated on seven open-weight and three closed-weight model families. We introduce a three-tier taxonomy: (L1) direct single-record corruption, (L2) compositional multi-record corruption and (L3) context-triggered dormant corruption. Our evaluations reveal a distinct defense frontier: while baseline write-time defenses, such as consistency checks, substantially suppress direct L1 attacks, they fail to reliably suppress L2 and L3 attacks. Through mechanistic influence decomposition (MID), we demonstrate structural blind spots in write-time defenses, which admit seemingly benign records that later become harmful through joint retrieval composition or trigger-conditioned activation. Our findings advocate for shifting from static filtering to adaptive, context-sensitive memory defense strategies.
Problem

Research questions and friction points this paper is trying to address.

persistent memory
adversarial attacks
LLM agents
memory security
structural blind spots
Innovation

Methods, ideas, or system contributions that make the work stand out.

MemPoison
persistent memory threats
mechanistic influence decomposition
context-triggered corruption
adaptive memory defense
🔎 Similar Papers
J
Jifeng Gao
State Key Laboratory for Novel Software Technology, Nanjing University, China
K
Kang Xia
State Key Laboratory for Novel Software Technology, Nanjing University, China
Yi Zhang
Yi Zhang
Department of Computer Science and Technology, Nanjing University
multi-modalmulti-viewmulti-label
Xiaobin Hong
Xiaobin Hong
Nanjing University
Graph MiningTime Series AnalysisLLM ReasoningAI4Science
Mingkai Lin
Mingkai Lin
Nanjing University
Graph learningSocial Network Analysis
X
Xingshen Wei
State Key Laboratory for Novel Software Technology, Nanjing University, China; NARI Group Corporation/State Grid Electric Power Research Institute, China
Wenzhong Li
Wenzhong Li
Nanjing University
Distributed ComputingData MiningEdge ComputingSocial Networks
S
Sanglu Lu
State Key Laboratory for Novel Software Technology, Nanjing University, China