Inferensys

Glossary

Key-Value Cache Poisoning

The manipulation of the transformer's KV cache during inference to alter the model's attention pattern, causing it to attend to adversarial tokens over legitimate context.
Engineer optimizing context window usage on laptop, token usage charts visible, technical work session.
INFERENCE-TIME ATTACK

What is Key-Value Cache Poisoning?

Key-Value Cache Poisoning is an inference-time attack that manipulates the transformer's stored attention state, causing the model to attend to adversarial tokens over legitimate context.

Key-Value Cache Poisoning is an adversarial technique that directly modifies the stored key-value pairs within a transformer's attention mechanism during autoregressive generation. Unlike prompt injection, which targets raw text input, this attack operates on the model's internal latent representations, altering the mathematical weights that determine which tokens the model 'pays attention to' when predicting the next sequence element.

By injecting a crafted perturbation into the KV cache, an attacker can hijack the model's attention pattern, forcing it to prioritize attacker-controlled context while ignoring legitimate system prompts or safety instructions. This bypasses input-level guardrails entirely, as the malicious signal is introduced post-tokenization within the model's computational graph, making it a potent threat for agents relying on long-context caching for efficiency.

KEY-VALUE CACHE POISONING

Primary Attack Vectors

The manipulation of the transformer's KV cache during inference to alter the model's attention pattern, causing it to attend to adversarial tokens over legitimate context.

01

Attention Hijacking

The core mechanism of KV cache poisoning involves overwriting or injecting adversarial Key-Value pairs into the cache. Since the attention mechanism computes relevance by comparing query vectors against stored keys, a poisoned cache causes the model to allocate disproportionate attention weights to attacker-controlled tokens. This effectively silences legitimate system prompts or retrieved context, redirecting the model's focus to malicious instructions hidden within the cache state.

02

Shared Prefix Exploitation

In serving systems that use prefix caching for efficiency, multiple users or requests may share a common KV cache prefix. An attacker can poison this shared prefix with adversarial key-value states. Subsequent requests that reuse the cached prefix inherit the poisoned attention pattern, enabling a cross-request attack where one user's malicious payload influences another user's model outputs without direct interaction.

03

Residual Stream Injection

This advanced variant bypasses token-level manipulation by directly injecting a crafted residual stream vector into the model's forward pass. The injected vector is added to the hidden states before they are projected into keys and values, effectively steering the entire attention computation. This allows an attacker to override internal representations without needing to place visible adversarial tokens in the text input, making detection significantly harder.

04

Cache Eviction Manipulation

Transformers with finite cache sizes must evict older KV pairs to make room for new tokens. Attackers exploit eviction policies by flooding the context with padding tokens that displace critical safety instructions from the cache. Once the system prompt's KV pairs are evicted, the model operates without safety constraints. This is a temporal attack that weaponizes the cache's limited capacity against itself.

05

Multi-Turn Cache Persistence

In conversational agents that persist the KV cache across dialogue turns, an attacker can poison the cache in an early turn and have the malicious attention pattern persist indefinitely. The poisoned keys and values remain resident in memory, influencing all subsequent reasoning. This long-range contamination is particularly dangerous because the attack surface extends across the entire session lifetime, not just a single prompt.

06

Speculative Decoding Attacks

Systems using speculative decoding generate candidate tokens with a draft model and verify them with the target model, sharing KV caches between the two. An attacker who compromises the draft model can inject poisoned KV states that the target model inherits during verification. This creates a supply-chain attack vector where a weaker, less-secured model poisons a more capable one through shared cache infrastructure.

ATTACK VECTOR COMPARISON

KV Cache Poisoning vs. Related Attacks

Distinguishing KV cache poisoning from other context manipulation and adversarial injection techniques targeting transformer-based agents during inference.

FeatureKV Cache PoisoningAdversarial Context InjectionIndirect Prompt Injection

Attack Surface

Transformer's key-value cache during autoregressive decoding

Agent's assembled context window (system prompt, history, retrieved docs)

External data sources ingested by the agent (web pages, emails, documents)

Injection Point

Residual stream / attention layer activations

Textual input to the language model

Third-party content before agent retrieval

Persistence

Persists across multiple generation steps within a single forward pass sequence

Persists for the duration of the context window or session

Persists as long as the poisoned source remains in the retrieval corpus

Requires Model Access

Bypasses Content Filters

Exploits Attention Mechanism

Mitigation Strategy

Cache integrity verification, attention head monitoring, activation anomaly detection

Input sanitization, strict prompt formatting, delimiter hardening

Data provenance validation, source reputation scoring, sandboxed retrieval

Detection Difficulty

High

Medium

Medium

KEY-VALUE CACHE POISONING

Frequently Asked Questions

Key-Value Cache Poisoning is an advanced adversarial attack targeting the inference-time state of transformer models. Unlike prompt injection, which manipulates input text, this attack directly corrupts the model's internal attention mechanism, causing it to attend to attacker-chosen tokens over legitimate context.

Key-Value (KV) Cache Poisoning is an adversarial technique that manipulates the stored key and value tensors within a transformer's attention mechanism during autoregressive decoding. In standard inference, the KV cache stores pre-computed representations of previous tokens to avoid redundant computation. An attacker with access to this cache—through a shared inference infrastructure vulnerability, a side-channel, or a compromised serving layer—can overwrite specific key-value pairs. This causes the model's attention heads to allocate disproportionate weight to adversarial tokens, effectively hijacking the model's contextual understanding. The attack exploits the fact that attention is a differentiable, content-addressable memory: by injecting crafted vectors, the attacker redirects the query-key dot product scores to favor malicious values, altering the model's output without modifying the visible input prompt.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.