iGEN
Visit IGEN World Explore IGEN Expo
EXPLORE UPGRADE PLANS
BREAKING
Gated QKAN-FWP: Quantum-Inspired Sequence Learning Achieves Parameter Efficiency on NISQ Devices The Robot Vacuums Cleaning My Three-Story Home for Me New Framework TRACED Evaluates LLM Reasoning Using Geometric Stability and Progress Everllence Lands First Order for Next-Gen Methane Dual-Fuel Engine on Car Carriers How Scale Design Impacts LLM Metacognition and Enterprise AI Reliability GMN4AD: New Graph Matching Network Boosts Alzheimer's Diagnosis Accuracy Using Multi-Center MRI Data Adaptive Memory Crystallization: New AI Architecture Slashes Forgetting by 80% While Boosting Knowledge Transfer by 43% RaBiT: Residual-Aware Binarization Training for Accurate and Efficient Large Language Models U.S. Military Uses Iranian Smuggling Tactic for Gulf Oil Transfers Amid Strait Closure PASTE System Cuts AI Agent Latency by 43.5% via Parallel Tool Execution and LLM Generation Gated QKAN-FWP: Quantum-Inspired Sequence Learning Achieves Parameter Efficiency on NISQ Devices The Robot Vacuums Cleaning My Three-Story Home for Me New Framework TRACED Evaluates LLM Reasoning Using Geometric Stability and Progress Everllence Lands First Order for Next-Gen Methane Dual-Fuel Engine on Car Carriers How Scale Design Impacts LLM Metacognition and Enterprise AI Reliability GMN4AD: New Graph Matching Network Boosts Alzheimer's Diagnosis Accuracy Using Multi-Center MRI Data Adaptive Memory Crystallization: New AI Architecture Slashes Forgetting by 80% While Boosting Knowledge Transfer by 43% RaBiT: Residual-Aware Binarization Training for Accurate and Efficient Large Language Models U.S. Military Uses Iranian Smuggling Tactic for Gulf Oil Transfers Amid Strait Closure PASTE System Cuts AI Agent Latency by 43.5% via Parallel Tool Execution and LLM Generation
Home ›› Technology ›› Ai ›› Llms ›› New Attack FragFuse Exploits LLM Agent Memory to Bypass Access Controls
iGEN
Technology Artificial Intelligence

New Attack FragFuse Exploits LLM Agent Memory to Bypass Access Controls

Researchers introduce FragFuse, a novel attack that bypasses access control in large language model agents by fragmenting prohibited queries across interactions and storing them in long-term memory, later reconstructing them without triggering defenses. The attack achieves an 86.3% average bypass success rate across multiple agent settings and exposes a critical vulnerability in memory-based AI systems.

iG
iGEN Editorial
June 16, 2026
New Attack FragFuse Exploits LLM Agent Memory to Bypass Access Controls

Enterprise adoption of large language model (LLM) agents is accelerating, but a new research paper reveals a fundamental security gap in how these agents handle memory. The attack, named FragFuse, exploits the temporal channel introduced by long-term memory to circumvent access-control mechanisms, according to a preprint on arXiv (arXiv:2606.15609).

Attack Mechanism: Fragmentation and Fusion

FragFuse operates in three stages. First, it identifies rejection-responsive fragments via black-box adaptive querying with fragment masking — determining which parts of a policy-violating request trigger access control. Second, it injects these fragments into the agent's long-term memory using marker carrier queries, storing them in benign-appearing form. Third, a follow-up attack query retrieves and fuses the stored fragments, reconstructing the prohibited content without it appearing explicitly in the final user query.

According to the paper, this is the first attack to bypass agent access control by exploiting memory operations. The researchers developed a surrogate-based optimization scheme that tunes fusion instructions and marker designs, enabling automated attack generation without violating the attacker's threat-model assumptions.

Performance Metrics and Evaluation

The researchers evaluated FragFuse across four representative agent settings and task domains, covering three state-of-the-art agent access-control mechanisms. Key results are shown in the table below:

Metric Value
Average bypass success rate 86.3%
Average end-to-end harmful task success rate 41.1%
Average task-success degradation vs. no access control 4.4%

Importantly, the attack maintains nearly the same task success rate as configurations without access control (only 4.4% degradation), indicating that bypassing does not sacrifice functional performance.

Defenses Ineffective

The paper also tested alternative defenses, including state-of-the-art prompt-injection detectors and perplexity detectors. None effectively addressed the FragFuse attack. This underscores a critical gap in current security approaches for LLM agents that rely on long-term memory.

Broader Implications

The FragFuse attack highlights a novel attack surface arising from agent memory operations. As enterprises increasingly deploy LLM agents for tasks like customer support, code generation, and data analysis, the ability to bypass access controls could lead to unauthorized actions or data exposure. The research suggests that memory-based architectures require fundamentally new defense mechanisms that can detect and prevent temporal fragmentation of policy-violating content.

While the study does not name specific commercial agents, its findings are broadly applicable to any LLM agent with long-term memory and access control. Enterprise technology leaders should evaluate the memory management and access-control implementations of any AI agents in their stack.

Sources:

Keep Reading

Recommended Stories

AIChilles Automatically Unearths Hidden Weaknesses in AI-Evolved Programs Technology

AIChilles Automatically Unearths Hidden Weaknesses in AI-Evolved Programs

Researchers developed AIChilles, an automated tool that uncovers hidden weaknesses in AI-evolved programs. Testing 30 AI-generated programs across five system applications, it found 49 distinct failures in correctness, runtime, memory, and output quality. The tool combines workload extraction, constraint inference, and differential oracles to identify regressions that could undermine AI-generated code reliability.

June 16, 2026
CmdNeedle Reveals Widespread Fragility in AI Agent Command Denylists Technology

CmdNeedle Reveals Widespread Fragility in AI Agent Command Denylists

A research paper introduces CmdNeedle, an LLM-driven pipeline that systematically detects incompleteness in command denylists used by terminal AI agents. Evaluating 1,709 real-world denylists, the study finds that 69.0–98.6% are fragile, meaning they can be bypassed by alternative commands, undermining security.

June 16, 2026
How Scale Design Impacts LLM Metacognition and Enterprise AI Reliability Technology

How Scale Design Impacts LLM Metacognition and Enterprise AI Reliability

A study on arXiv reveals that the confidence scale used in LLMs (typically 0-100) leads to heavy discretization, with over 78% of responses on three round numbers. Changing the scale to 0-20 improves metacognitive efficiency. The findings have implications for enterprise use of LLMs in supply chain decision-making where confidence calibration is critical.

June 16, 2026
MA-ProofBench: New Benchmark Tests LLMs on Formal Theorem Proving in Mathematical Analysis Technology

MA-ProofBench: New Benchmark Tests LLMs on Formal Theorem Proving in Mathematical Analysis

Researchers introduce MA-ProofBench, the first formal theorem-proving benchmark dedicated to mathematical analysis. It contains 200 theorems across six topics at two difficulty levels. Evaluations show that even the best model, GPT-5.5, achieves only 16% Pass@8 on undergraduate-level problems and 5% on Ph.D.-level problems, highlighting significant limitations of current LLMs in formal mathematical reasoning.

June 16, 2026