
Key facts.
- An attacker who can only send normal queries can poison an agent's long-term memory: the MINJA attack reached a 98.2% average injection success rate, slipping malicious records into the store that are retrieved and acted on later, while task utility barely moved, under 2% (Dong et al., MINJA, arXiv:2503.03704, NeurIPS 2025).
- Once poisoned, the bad record drives real actions: MINJA's average attack success rate was 76.8%, reaching 90 to 100% on some agents (MINJA, 2025).
- Corruption is not only malicious: state gets silently lost or truncated mid-run once a session outgrows the usable window. RULER finds effective context is only about 50 to 65% of the advertised length, so earlier state can quietly fall out of reach while the agent keeps acting on what remains (RULER, arXiv:2404.06654, 2024).
What is state or memory corruption in an agent?
An agent carries state: a scratchpad of intermediate reasoning, the running context, and often a persistent memory store it writes to and reads back across sessions. Corruption is when something false or malformed gets written into that state and every later step treats it as fact. Hallucination, bad tool result, planted record. Three paths. Same outcome. The moment it is in memory, it stops looking like a guess and starts looking like ground truth, because agent memory has no built-in notion of where a fact came from or how much to trust it.
Why does one bad entry poison every later step?
Because agents lack provenance, verification, and decay for their own state. A person keeps a rough sense of which beliefs are solid and which are hunches. A default agent does not. Once a claim is in context or the memory store, it is retrieved by similarity and fed back into reasoning with the same weight as a verified fact. The agent is not repeatedly making the same mistake. It made one mistake, wrote it down, and is now faithfully reading it back at every step.

Can someone poison an agent's memory on purpose?
Yes, and it is easier than it sounds. The MINJA attack showed that an adversary who can only send ordinary queries, with no direct access to the database, can still get malicious records written into an agent's long-term memory and retrieved on later, unrelated tasks. 98.2% injection success rate. 76.8% attack success rate, up to 90 to 100% on some agents. Normal task performance dropped under 2%. Nothing looked wrong (arXiv:2503.03704, NeurIPS 2025). The memory store is an attack surface, not just a convenience.
How do you keep state clean?
Treat agent memory like untrusted input that must earn its place. Tag every stored item with provenance, where it came from and whether it was verified. Validate tool results before writing to state. Expire or re-check old memory rather than trusting it forever. Scope memory per user and per task so one poisoned conversation cannot bleed into others. Keep a clean copy of the original goal outside the mutable scratchpad so a corrupted working state can be reset against a trusted baseline. VibeModel builds the layer that tracks which of the agent's beliefs are earned, which is the Pattern Intelligence Layer.
Frequently asked questions
Is this the same as the agent hallucinating?
Hallucination is the source of one bad entry. Corruption is what happens next: that entry is written to state and read back as fact at every later step, so a single hallucination becomes a persistent, compounding error rather than a one-off.
How is memory poisoning different from prompt injection?
Prompt injection steers the agent in the moment. Memory poisoning is durable: a malicious record is stored and retrieved on future, unrelated tasks, so the influence outlives the conversation that planted it. MINJA showed it works with query-only access.
What is the first thing to fix?
Stop writing unverified content to durable memory. Validate tool results and tag provenance before anything is stored, and keep the original goal in a clean, read-only slot so a corrupted scratchpad can be reset against it.

