![[2602.15927] Visual Memory Injection Attacks for Multi-Turn Conversations](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.15927] Visual Memory Injection Attacks for Multi-Turn Conversations
Summary
This article discusses Visual Memory Injection (VMI) attacks on large vision-language models (LVLMs) in multi-turn conversations, highlighting security vulnerabilities that can lead to user manipulation.
Why It Matters
As LVLMs gain popularity, understanding their vulnerabilities is crucial for developing robust AI systems. This research exposes potential risks in user interactions, emphasizing the need for enhanced security measures to protect users from manipulation through visual inputs.
Key Takeaways
- VMI attacks can manipulate LVLMs during multi-turn conversations.
- The attack is stealthy, maintaining normal behavior until triggered.
- This research highlights the need for improved robustness in LVLMs against visual manipulation.
- The study demonstrates the feasibility of large-scale user manipulation.
- Source code for the attack method is publicly available for further research.
Computer Science > Computer Vision and Pattern Recognition arXiv:2602.15927 (cs) [Submitted on 17 Feb 2026] Title:Visual Memory Injection Attacks for Multi-Turn Conversations Authors:Christian Schlarmann, Matthias Hein View a PDF of the paper titled Visual Memory Injection Attacks for Multi-Turn Conversations, by Christian Schlarmann and 1 other authors View PDF HTML (experimental) Abstract:Generative large vision-language models (LVLMs) have recently achieved impressive performance gains, and their user base is growing rapidly. However, the security of LVLMs, in particular in a long-context multi-turn setting, is largely underexplored. In this paper, we consider the realistic scenario in which an attacker uploads a manipulated image to the web/social media. A benign user downloads this image and uses it as input to the LVLM. Our novel stealthy Visual Memory Injection (VMI) attack is designed such that on normal prompts the LVLM exhibits nominal behavior, but once the user gives a triggering prompt, the LVLM outputs a specific prescribed target message to manipulate the user, e.g. for adversarial marketing or political persuasion. Compared to previous work that focused on single-turn attacks, VMI is effective even after a long multi-turn conversation with the user. We demonstrate our attack on several recent open-weight LVLMs. This article thereby shows that large-scale manipulation of users is feasible with perturbed images in multi-turn conversation settings, calling for...
