Agent memory corrupts quietly, then every step inherits it

One early hallucination, bad tool result, or planted record gets written to the agent's memory. From then on it is read back as ground truth, and the error compounds.

B

Balagei G Nagarajan

4 MIN READ


A glowing agent memory store where one corrupted record spreads a darker tint outward into surrounding records, contaminating the whole bank

Key facts.

  • An attacker who can only send normal queries can poison an agent's long-term memory: the MINJA attack reached a 98.2% average injection success rate, slipping malicious records into the store that are retrieved and acted on later, while task utility barely moved, under 2% (Dong et al., MINJA, arXiv:2503.03704, NeurIPS 2025).
  • Once poisoned, the bad record drives real actions: MINJA's average attack success rate was 76.8%, reaching 90 to 100% on some agents (MINJA, 2025).
  • Corruption is not only malicious: state gets silently lost or truncated mid-run once a session outgrows the usable window. RULER finds effective context is only about 50 to 65% of the advertised length, so earlier state can quietly fall out of reach while the agent keeps acting on what remains (RULER, arXiv:2404.06654, 2024).

What is state or memory corruption in an agent?

An agent carries state: a scratchpad of intermediate reasoning, the running context, and often a persistent memory store it writes to and reads back across sessions. Corruption is when something false or malformed gets written into that state and every later step treats it as fact. Hallucination, bad tool result, planted record. Three paths. Same outcome. The moment it is in memory, it stops looking like a guess and starts looking like ground truth, because agent memory has no built-in notion of where a fact came from or how much to trust it.

Why does one bad entry poison every later step?

Because agents lack provenance, verification, and decay for their own state. A person keeps a rough sense of which beliefs are solid and which are hunches. A default agent does not. Once a claim is in context or the memory store, it is retrieved by similarity and fed back into reasoning with the same weight as a verified fact. The agent is not repeatedly making the same mistake. It made one mistake, wrote it down, and is now faithfully reading it back at every step.

A feedback loop: a bad entry is written to memory, retrieved as a trusted fact, influences the next step, which writes more corrupted state, closing the loop

Can someone poison an agent's memory on purpose?

Yes, and it is easier than it sounds. The MINJA attack showed that an adversary who can only send ordinary queries, with no direct access to the database, can still get malicious records written into an agent's long-term memory and retrieved on later, unrelated tasks. 98.2% injection success rate. 76.8% attack success rate, up to 90 to 100% on some agents. Normal task performance dropped under 2%. Nothing looked wrong (arXiv:2503.03704, NeurIPS 2025). The memory store is an attack surface, not just a convenience.

How do you keep state clean?

Treat agent memory like untrusted input that must earn its place. Tag every stored item with provenance, where it came from and whether it was verified. Validate tool results before writing to state. Expire or re-check old memory rather than trusting it forever. Scope memory per user and per task so one poisoned conversation cannot bleed into others. Keep a clean copy of the original goal outside the mutable scratchpad so a corrupted working state can be reset against a trusted baseline. VibeModel builds the layer that tracks which of the agent's beliefs are earned, which is the Pattern Intelligence Layer.

Frequently asked questions

Is this the same as the agent hallucinating?
Hallucination is the source of one bad entry. Corruption is what happens next: that entry is written to state and read back as fact at every later step, so a single hallucination becomes a persistent, compounding error rather than a one-off.

How is memory poisoning different from prompt injection?
Prompt injection steers the agent in the moment. Memory poisoning is durable: a malicious record is stored and retrieved on future, unrelated tasks, so the influence outlives the conversation that planted it. MINJA showed it works with query-only access.

What is the first thing to fix?
Stop writing unverified content to durable memory. Validate tool results and tag provenance before anything is stored, and keep the original goal in a clean, read-only slot so a corrupted scratchpad can be reset against it.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.