Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

From Storage to Steering: Memory Control Flow Attacks on LLM Agents

Zhenlin Xu, Xiaogang Zhu, Yu Yao, Minhui Xue, Yiliao Song

Abstract

Modern agentic systems allow Large Language Model (LLM) agents to tackle complex tasks through extensive tool usage, forming structured control flows of tool selection and execution. Existing security analyses often treat these control flows as ephemeral, one-off sessions, overlooking the persistent influence of memory. This paper identifies a new threat from Memory Control Flow Attacks (MCFA) that memory retrieval can dominate the control flow, forcing unintended tool usage even against explicit user instructions and inducing persistent behavioral deviations across tasks. To understand the impact of this vulnerability, we further design MEMFLOW, an automated evaluation framework that systematically identifies and quantifies MCFA across heterogeneous tasks and long interaction horizons. To evaluate MEMFLOW, we attack state-of-the-art LLMs, including GPT-5 mini, Claude Sonnet 4.5 and Gemini 2.5 Flash on real-world tools from two major LLM agent development frameworks, LangChain and LlamaIndex. The results show that in general over 90% trials are vulnerable to MCFA even under strict safety constraints, highlighting critical security risks that demand immediate attention.

From Storage to Steering: Memory Control Flow Attacks on LLM Agents

Abstract

Modern agentic systems allow Large Language Model (LLM) agents to tackle complex tasks through extensive tool usage, forming structured control flows of tool selection and execution. Existing security analyses often treat these control flows as ephemeral, one-off sessions, overlooking the persistent influence of memory. This paper identifies a new threat from Memory Control Flow Attacks (MCFA) that memory retrieval can dominate the control flow, forcing unintended tool usage even against explicit user instructions and inducing persistent behavioral deviations across tasks. To understand the impact of this vulnerability, we further design MEMFLOW, an automated evaluation framework that systematically identifies and quantifies MCFA across heterogeneous tasks and long interaction horizons. To evaluate MEMFLOW, we attack state-of-the-art LLMs, including GPT-5 mini, Claude Sonnet 4.5 and Gemini 2.5 Flash on real-world tools from two major LLM agent development frameworks, LangChain and LlamaIndex. The results show that in general over 90% trials are vulnerable to MCFA even under strict safety constraints, highlighting critical security risks that demand immediate attention.
Paper Structure (46 sections, 3 theorems, 4 equations, 2 figures, 4 tables, 1 algorithm)

This paper contains 46 sections, 3 theorems, 4 equations, 2 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Formalization of Memory Control Flow Attacks and Experimental Verification
  4. Memory Control Flow Attacks
  5. Verification: Memory-Causal Deviation of MCFA
  6. Methodology: MemFlow
  7. Empirical Corollaries
  8. Experiments
  9. Experimental Setup and Implementation
  10. Main Results: MCFA Vulnerability Landscape
  11. Ablations Study
  12. Robustness Analysis
  13. Re-order Success criterion
  14. Frameworks and Models Robustness
  15. MFCA against Defense Evaluation
  16. ...and 31 more sections

Key Result

Theorem 1

Let $\mathcal{H}$ be the short-term conversation history and $\mathcal{E}_{iso}$ be an Isolated Evaluation Regime where $\mathcal{H} = \emptyset$. For any agent $\mathcal{A}$ and task $x$, if the tool trace $\tau$ generated under $\mathcal{E}_{iso}$ violates the safety policy $\Pi_{safe}$ (i.e., $\t

Figures (2)

  • Figure 1: Comparison between the standard execution path and our proposed attack. (a) Existing: Standard Path, where the LLM agent invokes tools (A, B, and C) in a predefined, benign sequence to generate correct outputs. (b) Ours: Memory Control Flow Attack, where the agent retrieves malicious context from memory, leading to a reordered workflow (A $\rightarrow$ D $\rightarrow$ C) that skips critical steps (Tool B) and ultimately produces a malicious output.
  • Figure 2: Overview of MemFlow. MemFlow is a evaluation framework that standardizes MCFA trials with an injection→auditing protocol, logging tool-call trajectories and computing the attack success rate.

Theorems & Definitions (9)

  • Definition 1: System Model: Memory-Augmented LLM Agents
  • Definition 2: Memory Control Flow Attack
  • Theorem 1: Memory-Causal Verification
  • proof
  • Remark 1
  • Corollary 1: Dominance of Retrieval
  • Remark 2
  • Corollary 2: Inefficacy of Textual Repair
  • Remark 3