T4-AT-007HIGH
Context Window Exhaustion
T4 · Multi-Turn & Memory Manipulation →Risk score205
RatingHigh
Procedures10
Severity
Mechanism
, 2024): information at the beginning and end of the context window receives stronger attention than information in the middle. System prompt safety instructions are positioned at the start of the context. As the conversation grows, the effective attention weight on these instructions decreases — not to zero, but enough to reduce the safety classifier's influence on generation.
Detection
- Context length monitoring: Track conversation length and apply compensatory safety measures as length increases
- System prompt attention measurement: Monitor the effective attention weight on safety-critical system prompt tokens (requires model introspection access)
- Conversation length anomaly detection: Flag conversations that are significantly longer than the user's typical pattern
- Position-aware safety evaluation: Reinsert safety instructions periodically or at the end of the context window
Mitigation
System prompt re-injectionHIGH
Attention anchoringHIGH
Conversation length limitsMEDIUM
Many-shot detectionMEDIUM
Chaining
Context window exhaustion is a preparatory technique that reduces safety enforcement for subsequent attacks. Chains directly into T4-AT-001 (Context Poisoning) and T4-AT-005 (Incremental Assembly) by creating a context environment where safety instructions have reduced influence.
Framework mapping
Open in the technique browser →OWASP LLMLLM01
MITRE ATLASAML.T0051.000