Search papers, labs, and topics across Lattice.
This paper introduces Memory Control Flow Attacks (MCFA), a novel threat where memory retrieval in LLM agents overrides intended tool usage, even against user instructions. They develop MEMFLOW, an automated framework, to systematically evaluate MCFA vulnerabilities across diverse tasks and long interaction horizons. Experiments on GPT-5 mini, Claude Sonnet 4.5, and Gemini 2.5 Flash using LangChain and LlamaIndex tools reveal that over 90% of trials are vulnerable to MCFA, even with safety constraints.
LLM agents are shockingly susceptible to memory manipulation, with over 90% of trials vulnerable to attacks that force unintended tool usage and persistent behavioral deviations.
Modern agentic systems allow Large Language Model (LLM) agents to tackle complex tasks through extensive tool usage, forming structured control flows of tool selection and execution. Existing security analyses often treat these control flows as ephemeral, one-off sessions, overlooking the persistent influence of memory. This paper identifies a new threat from Memory Control Flow Attacks (MCFA) that memory retrieval can dominate the control flow, forcing unintended tool usage even against explicit user instructions and inducing persistent behavioral deviations across tasks. To understand the impact of this vulnerability, we further design MEMFLOW, an automated evaluation framework that systematically identifies and quantifies MCFA across heterogeneous tasks and long interaction horizons. To evaluate MEMFLOW, we attack state-of-the-art LLMs, including GPT-5 mini, Claude Sonnet 4.5 and Gemini 2.5 Flash on real-world tools from two major LLM agent development frameworks, LangChain and LlamaIndex. The results show that in general over 90% trials are vulnerable to MCFA even under strict safety constraints, highlighting critical security risks that demand immediate attention.
