From Storage to Steering: Memory Control Flow Attacks on LLM Agents

TL;DR

This paper uncovers a new security vulnerability in LLM agents where persistent memory can manipulate control flow, leading to unintended tool usage and behavioral deviations, demonstrated through an automated evaluation framework.

Contribution

It introduces Memory Control Flow Attacks (MCFA) as a novel threat and presents MEMFLOW, an automated framework to identify and measure this vulnerability across various tasks.

Findings

Over 90% of trials vulnerable to MCFA across tested models.

Memory can dominate control flow, overriding explicit instructions.

MCFA poses critical security risks for LLM agent deployment.

Abstract

Modern agentic systems allow Large Language Model (LLM) agents to tackle complex tasks through extensive tool usage, forming structured control flows of tool selection and execution. Existing security analyses often treat these control flows as ephemeral, one-off sessions, overlooking the persistent influence of memory. This paper identifies a new threat from Memory Control Flow Attacks (MCFA) that memory can dominate the control flow, forcing unintended tool usage even against explicit user instructions and inducing persistent behavioral deviations across tasks. To understand the impact of this vulnerability, we further design MEMFLOW, an automated evaluation framework that systematically identifies and quantifies MCFA across heterogeneous tasks and long interaction horizons. To evaluate MEMFLOW, we attack state-of-the-art LLMs, including GPT-5 mini, Claude Sonnet 4.5 and Gemini 2.5 Flash on real-world tools from two major LLM agent development frameworks, LangChain and LlamaIndex. The results show that in general over 90% of trials are vulnerable to MCFA even under strict safety constraints, highlighting critical security risks that demand immediate attention.