Although persistent memory enhances the continuity and personalization of large language model (LLM) agents, the accumulation of contaminated or biased memories can lead to behavioral anomalies. Current research lacks systematic evaluation of memory misevolution—the unintended degradation or distortion of memory over time. To address this gap, this work proposes MemEvoBench, the first benchmark for assessing memory safety in LLM agents. Integrating question-answering tasks across seven domains and 36 risk categories with multi-turn workflow scenarios, MemEvoBench systematically evaluates the long-term safety impact of memory evolution by interleaving benign and adversarial memories, simulating noisy tool outputs, and incorporating biased user feedback. Experiments reveal that mainstream models exhibit significant performance degradation under biased memory updates, confirming memory evolution as a key driver of behavioral drift and exposing the limitations of static prompt-based defenses, thereby underscoring the urgent need for dynamic memory safety mechanisms.

Equipping Large Language Models (LLMs) with persistent memory enhances interaction continuity and personalization but introduces new safety risks. Specifically, contaminated or biased memory accumulation can trigger abnormal agent behaviors. Existing evaluation methods have not yet established a standardized framework for measuring memory misevolution. This phenomenon refers to the gradual behavioral drift resulting from repeated exposure to misleading information. To address this gap, we introduce MemEvoBench, the first benchmark evaluating long-horizon memory safety in LLM agents against adversarial memory injection, noisy tool outputs, and biased feedback. The framework consists of QA-style tasks across 7 domains and 36 risk types, complemented by workflow-style tasks adapted from 20 Agent-SafetyBench environments with noisy tool returns. Both settings employ mixed benign and misleading memory pools within multi-round interactions to simulate memory evolution. Experiments on representative models reveal substantial safety degradation under biased memory updates. Our analysis suggests that memory evolution is a significant contributor to these failures. Furthermore, static prompt-based defenses prove insufficient, underscoring the urgency of securing memory evolution in LLM agents.